That leaves analysts and SOC teams with an uphill battle to find and defend their organizations from the other 98% of their activity.
Using TTP based detection, based on DNS artefacts, to uncover attacker infrastructure is a new field of threat intelligence and a field that is far more useful for providing proactive defense than previous efforts.
What is TTP based detection for uncovering attacker infrastructure?
This means analysts can look for evidence left behind from attacker management processes and day to day tactics that leave trace evidence, mostly in DNS, that allows analysts to uncover the rest of a campaign they have set up.
There are many aspects to this and different pieces of evidence that analysts look for, which it is better not to reveal in a public forum. Some of the ideas are slightly revealed in previous Silent Push blog posts like New Attributes, or malicious infrastructure, which show some parts of the simpler end of things.
However to truly uncover the 98% of unknown it takes a well organized research cycle to deliver new attributes and insights which then get tested with Machine assisted learning before being tested with our behavior clustering. The result is being able to expand the knowledge of a campaign from what is known by traditional security products to the unknown portion, the 98%. With this information network defenders can really defend themselves against what is coming.
Silent Push is all about revealing that 98% to their customers. Not just that, they’re also about revealing the underlying characteristics that allow threat intelligence teams find what they need for their organization.
A few weeks ago, Afonso received a text message on his phone (in Portuguese) that translated to:
“Avoid blocking your account: Please access loguin-novobanco[.]com”
As in most phishing schemes, the malicious domain tries to impersonate the real one and this was no exception. Afonso was clearly able to spot the word ‘loguin’ (‘login’ in Portuguese), so he decided to investigate a bit further.
Using the Silent Push App, Afonso ran a domain lookup to see what I could find.
At the time, the domain was being hosted on 13.66.4[.]22.
The first thing Afonso did was to investigate other domains on the same IP address and then on the same subnet. For that, Afonso used the reverse IP lookup function. Since nothing interesting came up on the subnet, he decided just to search what else he could find on the same IP address:
This led to plenty of other bank phishing domains such as:
montepio-app[.]com, which spoofs Portuguese bank Montepio.
appitau-tarjeta.puntosarescatar[.]com, which spoofs a Brazilian bank.
Most of the domains were created less than a week earlier, so this meant Afonso could track everything from the beginning.
After checking on each domain, Afonso found they all used kinghostbr.*.orderbox-dns[.]com as nameservers. He decided to use the Silent Push API to see if he could find any other suspicious domains using these nameservers, and found Santander Bank spoofing domains, which had been taken down already.
All the domains Afonso found did not seem have an active website at the time of my research, most just redirected to a photography page.
Há umas semanas recebi uma mensagem SMS com o seguinte conteúdo:
“Evite o bloqueio da conta: Por favor acesse loguin-novobanco[.]com“
Como em maior parte dos esquemas de phishing, o domínio malicioso tenta personificar o oficial, e neste caso não era excepção. Consegui observar isto a partir da palavra ‘loguin’, do Inglês (login), então decidi investigar um pouco mais.
Executei uma pesquisa de domínios usando a aplicação da Silent Push para ver o que encontrava.
Na altura, o domínio estava hospedado no IP 13.66.4[.]22. A primeira coisa que fiz for investigar domínios no mesmo IP ou na mesma sub-rede. Para isso usei a pesquisa inversa de Ips, mas como nada de interessante apareceu na mesma sub-rede, decidi apenas pesquisar sobre o que conseguia encontrar no mesmo IP.
Isto conduziu a uma série de outros domínios usados para phishing como:
montepio-app[.]com → Imitação de um banco Português, Montepio.
appitau-tarjeta.puntosarescatar.com → Imitação de um banco Brasileiro, Itaú.
E muitos mais. Maior parte dos domínios tinham sido criados há menos de uma semana, logo isto significava que podia seguir o processo criação dos domínios mais detalhadamente e desde o início.
Depois de verificar cada domínio, apercebi-me de um ‘Name Server’ comum entre alguns domínios, kinghostbr.*.orderbox-dns.com. Decidi usar o API e ver se conseguia encontrar mais alguns domínios de phishing, apenas filtrando o Name Server. Assim, encontrei alguns domínios de imitação do Santander, mas já inativos.
Maior parte dos domínios que encontrei não tinham uma pagína da web ativa, e os que tinham apenas redirecionavam para uma página de fotografia..
The value of cyber security threat intelligence feeds can’t be overstated. However, like all security measures, not all cyber threat intelligence feeds are created equal. So what are some of the differences between a good and a great security feed?
There are of course a variety of factors that play into the value of any particular security feed. Some common considerations are relevancy and usability.
Unmeasurable Factors in Cyber Threat Intelligence Feeds
Generally speaking, a security feed that provides highly relevant data is providing data that is closely related to the target business or organization. Nowadays, many threats are targeted at specific businesses, which makes relevancy a critical factor in evaluating feeds.
Usability refers to how likely it is that information supplied by the security feed can lead to decisions that improve security. One of the end goals of a security feed is to allow for decisions that improve security policy making. If feed items only contain domains, IPs or hashes without any reasoning or clues as to why they are there, then they are not so useful. Each item needs to come with clues as to why it is suspicious and some information about how the feed is compiled in the first place so you know what you are looking at. Most importantly, this context will help you know how to use the information.
These factors are rare enough. One of the problems is, any given company may pay for a large number of security feeds. These feeds are quite expensive and may supply data that is repetitive. In the worst cases, one feed may simply be copying another. However, security feed analysts at the company may never know.
Expanding upon that, it’s also helpful to know which feeds are the first to share any potentially useful information. If an analyst had five security feeds that all detected the same potential risk, they’d want to know which detected it first and which last. In this way, the analyst can identify which feeds are the most valuable and which could be cut.
Evaluating Cyber Threat Intelligence Feeds with Silent Push
Silent Push provides two unique metrics to address the above issues to identify the best cyber threat intelligence feeds.
One of these metrics is called overlapping percentage. This refers to the proportion of indicators (IoCs) on that feed that are also seen on other feeds. Of course, a feed that provides unique data, data that isn’t seen on other feeds, can provide valuable insights.
Another percentage-based metric is originality percentage. Originality percentage means the proportion of indicators on any particular feed which were first shared by that feed. A feed that provides a large amount of original intelligence is a valuable asset to a business or organization.
To determine the value of a CTI feed against another, or many others, these two metrics are quite useful. Relevancy and usability are more closely connected to the information within a singular feed. But if a company is paying for many feeds, it’s possible that all of them can score high on relevancy and usability.
By employing these two additional metrics, unique to Silent Push, companies can save money and time by easily determining which feeds are the most valuable.
Value can translate into more than just spending less on repetitious security feeds. By identifying which feeds supply the best information the fastest, it may also be possible to react to targeted threats before they cause any damage. The concept of proactive threat detection, rather than reactive, is core to the Silent Push mission.
There’s an interesting paper here on ways on how some academics evaluated security intelligence feeds and some of their results.
An autonomous system (AS) is a collection of IP subnets that is managed by a single administrative entity. Think of an ISP or a hosting provider, but also a large corporation or a university, many of which manage one or more autonomous systems. Each AS is assigned a unique number, called an ASN; in practice the terms AS and ASN are often used interchangeably.
ASNs play a crucial role in routing and thus in making the Internet work. However, because each of them is managed by a single entity, it also makes sense to assign a reputation to them, based on the amount of malicious activity hosted on the AS.
Silent Push assigns a reputation to each ASN, that takes into account both the number of active IP addresses within the AS and the number of these that are currently being used for malicious activities.
The reputation of an ASN reflects the current state rather than a historical reputation, so that ASNs that shut down malicious activity will see their reputation drop immediately. Historic reputation data is available through the API.
The Silent Push platform’s threat score reaches from 0 (best reputation) to 100 (worst reputation). The following are the ASNs with the worst reputation ranked by the number of IP addresses currently listed.
However, all of ASNs are all quite small, with each containing 2048 or fewer IP addresses. They host a relatively large amount of malicious activity, but in absolute terms, their contribution to ‘bad things on the Internet’ is pretty small.
Look at the ASNs below that contain at least 100,000 IP addresses (active or not):
Now, a number of well-known companies appear in the list, including Tencent, Digital Ocean, Alibaba and Google.
Each of these cloud providers make it easy for someone to quickly and anonymously set up a virtual server. That has many advantages for researchers and developers but also attracts those hosting malicious infrastructure, such as malware authors or those providing services to them.
It is not recommended to block something just because it is hosted by any of these providers. But something unknown hosted there definitely deserves some extra scrutiny.
Takedown reputation
In fairness, it is unreasonable to expect a hosting provider or other network to be able to proactively block all malicious activity on its network. After all, it’s not like a malicious actor is open about their intentions when renting a server or purchasing a domain.
This is why at Silent Push, one can assign a ‘takedown reputation’ to each ASN, that assigns a score from 0 (best reputation) to 100 (worst reputation). This measures how well an ASN takes down malicious activity hosted on its network.
If we add the takedown reputations to the previous table, we note they are all low, but in some cases not 0. This leaves some room for improvement for these ASNs when it comes to their due diligence in keeping the Internet free of malware and scams.
Finally, look at the ASNs with the worst takedown reputation. These are all pretty small, containing 4096 IP addresses or fewer, and have a takedown reputation higher than 90:
Conclusion
Simply ranking ASNs or hosting providers by the number of IP addresses that are hosting or have hosted malicious content ignores both their actual size and their responsiveness when it comes to takedown requests. By including both, Silent Push provides you with a clearer picture of what ASNs to consider somewhat suspicious, which combined with other context can help during an investigation.
Yesterday, a security engineer for the privacy-focused Brave web browser, tweeted about a domain impersonating Brave that was promoted through Google ads.
The domain was bravė[.]com.
Note the accent on the e, which distinguishes it from brave[.]com, the domain it was impersonating.
This is an example of an Internationalized Domain Name (IDN), a domain name that includes non-ASCII characters. Such domains have an ASCII representation that starts with xn-- and use punycode to convert from ASCII to unicode and vice versa. The ASCII representation of the impersonating domain is xn--brav-yva[.]com.
When IDNs are used to impersonate existing domains, one speaks of a homograph or homoglyph attack. Other than the use of accents on Latin characters, this also includes using similar-looking characters from non-Latin alphabets, such as using the Greek α instead of the Latin a. Though not incredibly common in practice, such attacks do exist and security researchers have warned about them for more than a decade.
The bravė[.]com or xn--brav-yva[.]com domain was registered through NameCheap in June and is hosted at 185.198.166.104, which belongs to ITLDC, a Bulgarian cloud provider with servers in a number of countries.
Using the Silent Push app, the user can see what else is hosted there:
Three more domain names were found, all IDNs: xn--ldgr-xvaj[.]com, xn--sgnal-m3a[.]com and xn--teleram-ncb[.]com. The unicode representations of these domains are lędgėr[.]com, sīgnal[.]com and teleģram[.]com respectively, presumably impersonating cryptocurrency wallet maker Ledger and messaging apps Signal and Telegram. (I say ‘presumably’ because signal[.]com and telegram[.]com aren’t actually linked to the respective messaging apps.)
These other three domains were also registered at NameCheap. Using the Silent Push passive DNS, it was found that none of the domains had been seen at another IP address, so the user cannot pivot any further.
However, could this actor have hosted other domains at a different server? Assuming they’d also use the same registrar and hosting provider, a search query was ran in the Silent Push API for domains starting with xn-- using NameCheap’s name servers and hosted on ITLDC’s ASN (AS21100).
Nine further domains were found. Two of them (xn--80aaw7ah[.]com and xn--80ahcmbumt[.]org) represent words in the Cyrillic alphabet and there is no reason to assume they are used for anything malicious.
The other seven, however, were all hosted on the same IP address (195.245.113.25) and all impersonate legitimate products, including once again Brave and Telegram:
The fake installer on bravė.com that prompted this research was an ISO file that appears to contain a version of the Redline infostealer. That suggests it may be related to a campaign analysed by Morphisec last month, where Redline was also served packed inside an ISO through malicious Google ads, impersonating Telegram and other services. The domain names involved in that campaign were also registered through NameCheap.
As for IDNs, there are tools that help one find homograph attacks on an existing domain name. However, it is through a comprehensive and easily searchable passive DNS database that one can find a bigger picture of the campaign using a homograph attack.
2021 may well be called, “the year of the targeted attack.” Over and over, threat actors have carried out carefully crafted operations using infrastructure tailored to specific victim organizations.
On the other side of the table, large organizations rely on security tools that, at best, attempt to block the indicators they observed hitting other organizations previously. These IOCs don’t necessarily relate to the defending organization, meaning blue teams regularly miss the actors crafting domains and infrastructure to get beyond their particular defenses.
It is too easy for the organized crime or espionage group to develop new, bespoke assets to attack an organization safe in the knowledge of how to evade traditional security products and services. Silent Push regularly sees assets set up with such specific evasion techniques in mind.
Silent Push often sees domains registered and then aged for a period of time before malicious use to avoid aged based reputation scores. There are often domains imitating supply chain partners of various types to avoid security practitioners and potential victims becoming suspicious when seeing them in logs. Rotating name servers and customized name servers are often used in order to communicate with specialized malware while avoiding fingerprinting rules and behavior-based detection techniques. At the same time, there are very few innovations from security vendors to react to these new techniques.
It is time for the security industry and those defending teams to fight back. Silent Push wants to equip enterprises with the freedom to protect themselves.
Everybody needs their own customized threat intelligence. If an organization can’t meaningfully search for the attacks that are being tailored to them, what chance do they have?
Silent Push is exposing the analytics to help organizations track and trace the very attacker infrastructure being designed just for them. This allows threat intelligence teams to shine a light on this infrastructure as it is going live so they have a chance to proactively defend their organizations instead of hoping to discover the infrastructure after it has hit someone else.
What can be done?
Enterprises have been expected to accept ‘black box’ thinking from their security vendors for years: ‘You don’t need to know the details of how we detect things, just pay us the money and trust that we are defending you.’ That clearly hasn’t worked.
Now, Silent Push is exposing the underlying connections and patterns to enable enterprises to create their own intelligence feeds, focused on what they need to defend against.
If 5 threat groups use the same malicious infrastructure provider, then the enterprise needs to defend against that infrastructure provider. If numerous advanced threat groups use the same technique of managing and aging domains over time, then the enterprise needs to be able to identify domains currently managed with that technique going live. If a virtual Bullet Proof Hosting Provider is the commonality across numerous campaigns by different groups then a defending enterprise must be able to identify the fingerprint of that provider to defend against it.
These are the things Silent Push can allow the enterprise to do, with the aim to empower enterprise Threat Intelligence teams with the right tools to generate their own new intelligence, and to fuse their current intelligence with new insights that help contextualize and prioritize what matters today.
Working with Intelligence Analysts as well as SOC teams over many years has led to an identification of pain points that just seemed solvable with a little thought. A couple of these pain points can be helped enormously by “Infra-Tagging”. This is a new term so just go with it for now while I explain.
The problem
There are many different ways to asses the relationship between domains. Each way involves numerous look-ups and then saving the results to compare them.
This is where Infra Tagging steps in. Using Silent Push, just do one API call for each domain to generate an Infra-tag. The tag will be of the form {mx.ns.as.reg} where MX= the domain portion of the first mail exchange record in DNS, NS= the domain portion of the top last seen Name Server, AS= the AS name of the assigned IP address of the A record, Reg- the registrar mentioned in Whois if available. If any field is unavailable it is replaced with a _.
A penetration tester was asked to try the Silent Push service to see how it could help him and his team to get their work done quicker. This is written in the tester’s own words and only uses the Silent Push ‘DNS Explore’ feature.
Reconnaissance
Reconnaissance is performed to gain as much information on the target before beginning the penetration testing. ‘Recon’ is an essential element of any penetration testing. Recon on a target can be done in two ways: passive and active reconnaissance.
During the recon process researchers try to collect information about the subdomains associated with the target and their respective IP address. Most applications today are protected using WAFs and CDNs and it is often challenging to identify the real IP address associated with an application. That is where the subdomains associated with the application help researchers get more information about the main application and expand the attack surface.
The Silent Push application can be used for passive reconnaissance quickly.
Case Study:
Domain : magicbricks[.]com
For the past few years, the tester has been testing web applications and spent around 2 to 5 days on collecting the information about each target. The information that he collected included all the domains that are associated with the company, their respective subdomains and IP addresses, as well as the information about the OS.
There are different search engines available for collections of the above information but there is no single place where more information can be found at any one time.
The tester worked on the application mentioned above a couple of months back and was not able to collect more information. Then, he gave it a try with Silent Push and the information was gathered in just a few minutes. Normally, it would take the tester several days to get that information from different sources.
1. The tester started by using their Explore DNS feature which accepts wildcards:
Explore DNS history using wildcards proved very powerful
2. The tester then searched for any records associated with the test domain:
Gathering all the DNS information in one place using the explore feature
3.The tester then realized he could use a wildcard and gather subdomains and see what CNAME records were gathered and what IPs subdomains were using.
Gathering all subdomain info using a wildcard
4. This allowed the tester to pivot off this information and see what else was pointed to the same infrastructure:
Mahesh could see all A records pointing to the same IP straight away
5. The tester could enrich that information to find out more about ‘the neighbours’ and see what sort of reputation was associated with them.
This looked like a clean domain
Conclusion
Even though the tester was not on a threat intelligence team, the simple data gathering capabilities of this part of the Silent Push application saved him enormous amounts of time. Quite literally, this saves the tester days per job. The use cases across entire security teams is tremendous.
Last week, Cisco Talos published a blog post with new research on LodaRAT. Apart from updates to the Windows version of this malware, the researchers also found Android malware (‘Loda4Android’) written by the same group. They link both versions of the malware to an ongoing campaign targeting people or entities in Bangladesh.
This blog post reveals some further infrastructure used in this campaign.
LodaRAT
LodaRAT, or Loda, is information gathering malware. It has the ability to take screenshots of infected machines, record keystrokes and sound and allows its operators to send commands to the machine. It was first analysed by Proofpoint in May 2017.
In most of its campaigns, LodaRAT has been spreading through malicious documents, that either contained malicious macros or exploited vulnerabilities in Office. Some earlier campaigns exploited CVE-2017-0199, while more recent ones exploited CVE-2017-11882. Though patched several years ago, the latter vulnerability remains popular among malware authors.
Among the indicators of compromise shared by Talos is the domain lap-top[.]xyz, from which a malicious APK file was served. This domain was registered in October and points to 134.122.120[.]22, an IP address belonging to the popular cloud infrastructure provider Digital Ocean.
While looking in Silent Push’s database for other domains that have pointed to this IP address, Martijn Grooten noticed two that turned out to be actively serving LodaRAT: corona-bd[.]com and imei[.]today.
Using the COVID-19 vaccine as a lure
At first glance, corona-bd[.]com looks like an official Bangladeshi government website with information on the coronavirus. That’s not surprising, because in an iframe it contains that very website, hosted at corona.gov.bd.
But right above the iframe, there is a grey bar with the Bengali text “প্রথমধাপে অগ্রাধিকার ভিত্তিতে করোনা ভাইরাসের টিকা পাওয়ার আবেদন করতে এখানে ক্লিক করুন।” which Google helped me translate to “Click here to apply for the corona virus vaccine on a first-come, first-served basis.”
The real Bangladeshi government website (left) and the fake one with an extra link on top (right)
This link goes to a form that asks for many personal details, some of which (such as “Freedom Fighter Status”) may appear unusual for non-Bangladeshis. Upon filling in the form, you are presented with a page telling you your application has been accepted. It is unclear whether the information filled in the form is used in some way, but JavaScript carefully checks you have filled everything in, after which it is submitted to the server in a POST request.
Once you have submitted the form, you are urged to download the a copy of the application. Apart from a receipt number, which is different every time the page loads, you are given a password to open the application. The application turns out to be a zip file protected with this password and inside is a variant of LodaRAT (SHA256: e78546bb33df88c6be3afce32f5d13084295a6e0599b26c3b380d54318170d86).
It is unknown how people end up on this website: whether it relies on natural traffic, or whether the campaign urges specific targets to visit it, but the context of the campaign and the apparent lack of public links to it make the latter more likely.
Interestingly, the domain corona-bd[.]com had been active many years ago, when it hosted the website of a fashion company. Last spring, it was registered again to serve information related to the coronavirus pandemic.
From the copy on the Wayback Machine, Martijn couldn’t determine any malicious purpose of this website, but it shared an IP address with a number of domains that Talos also linked to this campaign, so it is likely that the same actor was hosting it already. This would suggest this campaign, or at least preparations for it, started well before October.
Fake IMEI checker
The second domain, imei[.]today, hosts what appears to be a checker for IMEIs: numbers that uniquely identify mobile phones.
The page lay-out is largely copied from the legitimate site imei.info, but made to look to belong to the BTRC, the Bangladesh Telecommunication Regulatory Commission. This site thus too targets Bangladesh, even if it is written in English, a language however still widely understood in the country.
Legitimate (left) and malicitious (right) IMEI checker
Upon entering a valid IMEI number (client-side JavaScript performs the ‘Luhn check’), the user is served a zip file. Inside this zip file, which this time is not protected with a password, is another variant of LodaRAT (SHA256: cf29981bfec0f0cf2abd54ae469c8795a3cf1e19c715ded329fdb2707f982407).
Other domains
While I found these domains because both have used the IP address 134.122.120[.]22, they have in fact shared several more IP addresses. And there are several more domains that have used some of these addresses in recent months.
One is mybnp[.]club. This site looks near identical to bnpbd.org, the website of the Bangladesh Nationalist Party (a Bangladeshi political party), from which it includes most content. The only difference is a line on top that says (in Bengali) “Click here to register to become a member of the BNP” that links to a signup page. This signup page contains an iframe that loads content from http://educationboardresults[.]net/php/application/.
However, there is no content there: educationboardresults[.]net is a parked domain. Moreover, mybnp[.]club does not render well in most modern browsers, due to mixed content errors. It may be that this site was intended to be used in the campaign but then abandoned.
Other domains that have used IP addresses in the same set include av24[.]co and bracbank[.]info, both of which were mentioned by Talos, but also bkash[.]club, bkashagent[.]com, aktel[.] org and zepode[.]online. All of these are relevant to Bangladeshis: bKash is a mobile financial service in Bangladesh, AKTEL is the former name of a mobile phone provider in Bangladesh, and Zepode is an ecommerce platform popular in the region.
Information on aktel[.]orgon Silent Push’s dashboard.
Apart from using some of the same IP addresses, all of these domains use two nameservers ns1.domain and ns2.domain with domain the domain itself and both name servers pointing to the same IP address as the domain’s A recor , a somewhat peculiar set-up.
Martijn had not been able to find any content hosted on these latter four domains, but that does not mean URLs with malware don’t exist. It is also possible that these have been registered for future use in this campaign.
A hacker-for hire campaign?
Writing about the discovery of LodaRAT activity in Bangladesh, Cyberscoop suggests it might belong to a hacker-for-hire group.
Last year, several hacker-for-hire operations (sometimes referred to as ‘cyber mercenaries’) have been uncovered. Such groups make cyber-espionage capabilities available to companies, political organisations as well as nation states without their own offensive cyber capabilities.
LodaRAT’s activity has all the hallmarks of such an operation. First, the geographic spread of the activities: Talos believes the group is based in Morocco (which is why it is referred to as ‘Kasablanka’) and previous activity by this group was linked to Latin America, while this campaign targets Bangladesh. The Android malware used by this group has been linked to campaigns in the Middle East.
Secondly, the malware focuses on gathering information rather than on direct financial gain, which would be common for malware used by a more traditional cybercrime group.
And thirdly, this particular campaign appears fairly targeted. While the real size can’t be determined without global telemetry, a more widespread campaign would have likely left public traces through search engines and public thread feeds.
Of course, none of this is conclusive proof of the kind of operation this is. Nor does it mean that the authors of the malware are the same as the ones conducting this campaign.
Conclusion
Malware and phishing campaigns make a serious effort to stay under the radar. However, limited resources forces threat actors to reuse infrastructure.
In this case, with the Silent Push API, Martijn was able to use this weakness to uncover more infrastructure used by the ‘Kasablanka’ actor in its targeting of Bangladesh, based on a few publicly posted indicators.
With contributions from Ken Bagnall and Nick Kostopoulos.
Of these, 94.130.110[.]78 had a PTR record set to be vps.corona-bd[.]com, while 134.122.120[.]22 used vps.lap-top[.]xyz as a PTR record. This confirms that at least these two IP addresses are or were attacker owned rather than shared hosting space.
Some other IP addresses that the domains have pointed to were shared with too many unrelated domains to considered them reliable indicators for this domain, or for malicious activity in general; hence they have not been listed.
