Page 53 – Silent Push

A frozen lake with the ice breaking apart

IcedID Command and Control Infrastructure

April 25, 2021/in Blog/by Silent Push Threat Team

Earlier this week, the DFIR Report published an interesting analysis of an intrusion with the notorious SodinokibiREvil ransomware. The intrusion used IcedID as the initial access broker: many ransomware actors use another malware campaign to gain access to an internal network and IcedID has become a very popular choice for that.

This blog post demonstrates how the IOCs shared by the DFIR Report can uncover more command and control infrastructure linked to IcedID, some of which has not been published before.

IcedID, also known as Bokbot, was discovered by IBM X-Force in November 2017. Initially operating as a banking trojan, it has since made the same move that Emotet had made previously and is now used to serve a foothold within a network. This is then later used by a ransomware operation.

The DFIR Report’s analysis lists cikawemoret34[.]space and nomovee[.]website as IcedID command and control servers used during the intrusion. These domains were hosted on the IP addresses 206.189.10[.]247 and 161.35.109[.]168 respectively.

It is always a good idea to see what other domains were hosted on these IP addresses. Using Silent Push passive DNS data, on 206.189.10[.]247, Martijn also found the following domains:

33nachoscocso[.]website
berxion9[.]online
chinavillage[.]uno
emanielepolikutuo1[.]website
gommadrilla[.]space
oskolko[.]uno
prolomstenn[.]fun

While on 161.35.109[.]168, Martijn found:

aspergerr[.]top
kneelklil[.]uno
newstationcosmo8[.]space

Unsurprisingly, most of these domains have been publicly linked to IcedID.

All the domains were registered through Porkbun in February or March and parked there initially before switching to Cloudflare’s name servers and pointing to the aforementioned IP addresses. This switching happened at different times for different domains, suggesting that the switch was made just before a domain was used in a campaign.

One domain stands out:

emanielepolikutuo1[.]

This website first switched to using name servers belonging to Russia’s Server Space and pointing to the IP address 143.198.25[.]214, before switching to Cloudflare and 206.189.10[.]247 a little over a week later.

So, looking at 143.198.25[.]214, the following domains hosted there can be found:

apouvtios2[.]uno
awefoplou5[.]site
chajkovsky[.]space
daserwewlollipop[.]club
dastemodaste[.]fun
emanielepolikutuo1[.]website
ohbluebennihill[.]website
seconwowa[.]cyou
violonchelistto[.]space
zomonedu3[.]website

All but one of these domains were registered at Porkbun, the exception is the slightly older seconwowa[.]cyou, which was registered through NameSilo.

Just like the previous set of domains, all these domains switched to using Cloudflare’s nameservers at some point and switched IP addresses at the same time. However, some first pointed to 83.97.20[.]176 before pointing to 143.198.25[.]214. On the former IP addresses, four more domains were found:

ameripermanentno[.]website
mazzappa[.]fun
odichaly[.]space
vaccnavalcod[.]website

Again, these used same pattern of registering at Porkbun before switching to Cloudflare’s name servers and the above IP address.

Of the latter two lists of domains, only some have been publicly linked to IcedID activity. However, the similarities noted above, as well as the choice of TLDs, suggest these domains belong to the same infrastructure and either have been or will be used in IcedID campaigns.

There is a pattern there: a domain gets registered, usually at Porkbun, and parked there for a while before its name servers switch to those of Cloudflare when the domain points to a new IP address. This IP address hosts multiple of these domains. There is also a preference for slightly unusual top-level domains.

Using this pattern, one can dig into the Silent Push data trove to look for other domains that satisfied this pattern. After sifting through the results to filter out false positives, the analyst ends up with a list of domain names and corresponding IP addresses of which he considered very likely to belong to IcedID’s infrastructure.

Many of these indicators have been published previously, for example on Maltrail’s GitHub, but many others have not been publicly linked to IcedID before.

You can find the full list of 58 IP addresses and 323 domain names (and 402 combinations: some domain names have pointed to multiple IP addresses) on our GitHub page.

Conclusion

Malware like IcedID plays a crucial role in many large cybercrime campaigns, including ransomware, which can be very costly for the victim organization. Early knowledge of indicators is thus important, even if these indicators haven’t all been publicly linked to the malware. This blog post demonstrated how to find hundreds of such indicators by spotting some patterns in the domain behaviour.

Thank you to John Jensen and Ken Bagnall for their contributions.

More IcedID Command and Control Infrastructure

April 25, 2021/in Blog/by Silent Push Threat Team

Two weeks ago, a blog post was shared by Martijn Grooten regarding the IcedID malware, in which he published hundreds of domains and IP addresses that were part of IcedID’s command and control infrastructure. Though many of these had been published before, many others had not been publicly linked to the malware.

IcedID has become a crucial component in many cybercrime supply-chains, and it is thus on the radar of many security researchers. Several analyses of IcedID have been published since including ones by Awake and Uptycs as well as two posts on Brad Duncan’s Malware Traffic Analysis blog.

Most of the command and control indicators listed in these posts were already in our list of indicators, which shows once again how one doesn’t always need to analyse active network activity to detect such infrastructure. Because IcedID is still very much active and continues to register new command and control domains, Martijn used the method described in the previous blog post to find many more indicators.

These new indicators have been added to this Github account, which now contains 366 unique domains, 69 unique IP addresses and 495 combinations thereof.

Thank you to John Jensen who contributed to this research.

Malicious Infrastructure as a Service

April 25, 2021/in Blog/by Silent Push Threat Team

Domains created for malicious purposes are rarely registered on their own. When you have identified such a domain, it is therefore always a good idea to look for other domains used in the same campaign.

Sometimes finding such a domain is easy. For example, you may notice a very similar domain (such as the .net version of a .com domain) registered with the same registrar on the same day. At other times you will need to look for other evidence, for example find them hosted on the same IP address.

In general, however, linking two domains through a single IP address isn’t strong enough evidence that the domains themselves are linked. The link becomes a lot stronger though when two or more domains were seen moving through the same set of IP addresses simultaneously.

In previous blog posts, this was used to find five domains that used the same infrastructure and that were made to look like they belonged to a content delivery network, as well as the infrastructure of a LodaRAT campaign targeting Bangladesh.

In this blog post, a few more examples showing sets of malicious domains that moved simultaneously through the same set of IP addresses will be examined. The sets of domains are linked and there is some evidence to suggest that the infrastructure belongs to a bulletproof hosting service.

Magecart

The first set of domains spoofs well known services such as Cloudflare, Google, jQuery and Magento:

cloudflareplus[.]com
cloudflareplus[.]net
cloudflareshop[.]com
cloudflare[.]su
googleexpert[.]name
googleinfo[.]name
googlemanagerads[.]com
googlemaster[.]name
googleplus[.]name
gooqlescript[.]com
jquery24[.]com
jqueryexpert[.]com
jqueryinfo[.]com
jquery[.]su
jsstroy[.]com
magentoinfo[.]name
magentoinfo[.]org
magentoportal[.]com
magentostore[.]org
manualseos[.]ru
mycloudflare[.]net
procloudflare[.]com
procloudflare[.]net
seocmson[.]ru

These domains were all registered at Russian registrar REG.RU on the 3rd of November 2020 and have simultaneously moved through the same set of IP addresses. The all use the name servers of DNSPod, a Chinese DNS hosting provider that has long been popular with cyber criminals.

For the first three months of 2021, the domains were seen on the following twenty IP addresses, in this order:

208.69.117[.]117
194.147.78[.]6
45.143.136[.]186
92.38.130[.]71
46.17.250[.]52
46.17.250[.]84
91.203.192[.]117
34.65.156[.]213
35.189.71[.]51
34.65.43[.]209
35.197.218[.]54
35.205.161[.]91
8.209.112[.]138
35.228.62[.]27
34.107.33[.]136
35.228.209[.]29
35.187.16[.]185
35.228.228[.]1
35.204.191[.]93
35.198.110[.]173

Sometimes, the domains only pointed to an IP address for less than a day, but in one case they pointed to the same IP address for three weeks in a row.

The IP addresses belong to various hosting services, with a particular preference for Google’s.

Interestingly, around the 8th of March, nine more domains joined the cycle:

bing-visitors[.]com
cloubfiare[.]net
googiemanager[.]com
googlemanagerads[.]com
googlemgr[.]net
googletag[.]name  
gooqleads[.]net
qodaddy[.]net
yahoo-tracker[.]com

They have been pointing to the same IP address as the original set ever since.

There is public evidence linking these domains to Magecart. Magecart is an umbrella term use to refer to more than a dozen groups that insert code into websites’ payment pages that steals credit card data. A common trick used by Magecart groups is to make their domains look like those from which code is regularly included into web pages. A website owner looking at the source code on a webpage may thus incorrectly assume the inclusion of third-party JavaScript is harmless.

Note: because the domains sometimes pointed to an IP address for a very short time period, it is possible that the list of IP addresses above isn’t complete for the three-month period January 1st to March 31st 2021. The same applies to the examples below.

IcedID and Qakbot

A second set of domains also cycled through a set of IP addresses, again all pointing to the same IP address at the same point in time.

The domains are:

aath22rzmo03mvewdj[.]xyz
amr16pzcp03omerd[.]xyz
caqp10snyod03msvsqu[.]com
fkko03vvxohq03taep[.]com
cidn02mjco03pobx[.]com
cyh26wcekai02atpeax[.]com
drt22uhfjmz03ltxc[.]xyz
dskl02touc03jeby[.]com
dzw10jpcgj03fckc[.]com
emqjj27ljgl02hqqzi[.]com
etysu02scnabr03wzaxue[.]com
evz15lmlir03sygmyr[.]xyz
b25d3a23hy[.]com
fb25d3add23hy[.]com
fb25d3as23hy[.]com
fb25d3asddd23hy[.]com
fb25d3erda23hfy[.]com
fb25era23hfy[.]com
fb25erhfy[.]com
ftkaq03ihfbh03rehx[.]com
fyz10eijkl03mytjfb[.]com
gbza26rngn02bekll[.]com
ghtyrncjf2df[.]com
hei03tfxv03mahl[.]com
hqcaz02egeq03bvmhm[.]com
hqn27dyhvwp02wznv[.]com
ihjpn03sijjl03dtmtr[.]com
inpa02lzjvt03anas[.]com
jam03iofwv03jniedf[.]com
jgu16cbxdr03ehqvx[.]com
jhj10jtvwu03zsjwk[.]com
jqilt27xsbz02anaeu[.]com
klhlh16zldwun03vlpq[.]com
kyvws03ndah03hecon[.]com
lic02uiccnh03nruvp[.]com
lxoyw10bipu03ilyig[.]com
mtk23gqakwj03bzds[.]xyz
qnvrih26coxejl02enyfn[.]com
nwvv27dwmy02bgznc[.]com
nygvj27cvlk02cktf[.]com
olfs23kvri03wyyb[.]xyz
ououz02naba03oiyd[.]com
pbdq26xjey02uprxwx[.]com
ppk02dmgmzj03dxekog[.]com
qab26utxb02pquc[.]com
rdraj16rwjw03xnli[.]com
rea26ypgvle02hcbunp[.]com
rlvq27rmjej02sfvb[.]com
rlyrt26rnxw02vqijgs[.]com
rsjb23tnxjng03dgiy[.]xyz
sal03gicu03qcwtif[.]com
tmrz10fxhy03ntxjf[.]com
toj27nlpr02irajz[.]com
toqku26hwpu02shuroh[.]com
ttj10qrrqx03kdts[.]com
usy15wycqme03dymh[.]xyz
vad12mhpfp03vyfl[.]xyz
vdk10pfsny03tzfva[.]com
vpu03jivmm03qncgx[.]com
vyhml26anpfyb02aqsehz[.]com
vyw27lfrvoj02kkxo[.]com
wnah27frybfe02sadb[.]com
xgka03stox03cloeqz[.]com
xjw10whta03ytgdi[.]com
xsd22aeofw03lqzf[.]xyz
yar03jmtvr03jtqg[.]com
ydw27hfhbk02zpidmv[.]com
ywgiu10zmnwcx03vpnyp[.]com
zkkn02lffiff03zkmh[.]com

The IP addresses are:

47.254.134[.]0
34.90.237[.]156
8.209.64[.]96
8.209.68[.]209
34.89.57[.]175
8.208.97[.]177
35.228.62[.]27
8.210.31[.]137
35.228.48[.]27
34.65.218[.]17
8.209.98[.]100
35.204.191[.]93
8.211.4[.]209

The domains were registered between late February and mid March 2021, mostly through Dutch registrar Hosting Concepts with a few using REG.RU instead. The name servers used were again those of DNSPod, while the IP addresses belong to Google and Alibaba.

Interestingly two of the IP addresses (marked in bold above) were also used by the Magecart domains above, suggesting a possible link between the two sets.

Many of the above domains have been used to download either the IcedID or the Qakbot malware. Both IcedID and Qakbot (also known as Qbot) are commonly used as initial access brokers. Though no direct link between these two actors is known, recently URLs of the type that previously served Qakbot started to serve IcedID instead.

This suggests that it is another actor that handles the spam campaigns that delivers either malware, an example of the increased commoditization of cybercrime. This would also explain why the domains listed above are different from the IcedID command and control domains written about recently, which use a different hosting infrastructure.

Ursnif and phishing

A third set of domains also cycled through a set of IP addresses:

aodacrtsrytuce[.]com
ashguq[.]com
chonlinedocstorage[.]com
companieshdocstorage-online[.]com
docusign-cloudab[.]com
docusign-cloudbc[.]com
docusign-cloudcd[.]com
docusign-cloud[.]com
docusign-vault[.]com
edssrdsceaaorb[.]com
exhssppceaaorb[.]com
hutnspiekeagrm[.]com
ioqpuyfshaio[.]com
ipqweyb[.]com
jyohjdowprwiondotrbkght[.]com
nbmipqw[.]com
ospzsiq[.]com
qpofsgw[.]com
rconalacrtnspi[.]com
rvprmsrirdeala[.]com
srirdelehssfaojr[.]com
srtnserqdelaeh[.]com
uidacrtsppxece[.]com
uiwoqp[.]com
upsdocstorage[.]com
upsdocstorage-online[.]com
vcavwq[.]com
wvmiap[.]com
zhdipqw[.]com

The IP addresses in this case are:

188.227.58[.]120
45.143.136[.]43
188.227.86[.]64
91.203.192[.]117
35.228.188[.]33
35.246.93[.]71
35.228.88[.]152

All these domains were registered through Eranet, a registrar based in Hong Kong, and again used DNSPod’s nameservers. Two of the IP addresses, marked in bold, were also used by the Magecart domains, suggesting a possible link.

Interestingly, there are two kinds of domains in the list. One the one hand, there are random looking domains which, as with the IcedID/Qakbot domains above, could suggest a domain generation algorithm (DGA). On the other hand, domains like docusign-cloud[.]com and upsdocstorage[.]com of which one can be all but certain they have been used in phishing campaigns: both DocuSign and UPS are commonly used in phishing lures.

It is not surprising therefore that these latter domains were taken down, often within a week after becoming active: lookalike domains are actively hunted by the affected organisations.

As for the DGA-like domains, one of them, uidacrtsppxece[.]com, has been linked to Ursnif, another common malware delivered in email campaigns.

It is unclear whether there is a direct link between Ursnif and the phishing domains beyond the use of the same infrastructure, or even whether all DGA-like domains have served Ursnif.

Other domains

There are many other domains that have used the same infrastructure, including the use of the DNSPod DNS provider.

For example, the following domains…

ie-kbc[.]net
ie-kbc[.]org
kbc-ie[.]net
www.kbcbanking[.]net

will no doubt have been used to impersonate KBC, an Irish bank, while authorise-eebilling[.]com has likely targeted customers of UK mobile provider EE. There are also several more domains that suggest a DGA.

Conclusion: a bulletproof hosting provider?

The similarities among the various sets described above, such as the use of DNSPod and the sharing of IP addresses, suggests the campaigns described all use the same infrastructure, likely that of a bulletproof hosting service.

A bulletproof hoster serves a similar function as a content-delivery network (CDN) does for legitimate domains: making it harder for a denial-of-service attack. The “attack” in this case would come from law enforcement and security researchers.

In the past, bulletproof hosters ran their own networks, which often led to the whole ASN being blocklisted. More modern bulletproof hosters rent servers at cloud providers and set these up as proxies for their customers’ content. By rotating through a set of IP addresses, the content is less vulnerable to being blocked based on the IP address.

Intel471 recently wrote about bulletproof hosters and in particular mentioned DNSPod.

Of course, we cannot be 100% certain that this is a bulletproof hoster, or even that the various campaigns do use the same infrastructure: the sharing of IP addresses may be a coincidence, or because there is another party involved in renting the servers.

But this is yet another example that shows how understanding the context of a domain name can help one find a lot of related infrastructure that is worth blocking, even without having seen evidence of actual malicious activity.

screenshot of the Feed Performance data dashboard

Best Cyber Threat Intelligence Feeds

January 11, 2020/in Blog/by Silent Push Threat Team

Evaluating Threat Intelligence Feeds

Your security team likely uses many threat intelligence feeds to detect and block threats on your network. But which of these are the best? And what does ‘best’ even mean in this case?

Silent Push helps you answer these questions.

In this blog post, we use a number of open source feeds to show two indicators of feeds that we use to determine the quality of feeds: originator percentage and overlap percentage. Contact us directly if you are interested in having your paid feeds evaluated for their quality — and possibly saving you quite a bit of money.

Originator

Originator %

In the first chart, we look at the originator percentage: the percentage of data in each feed for which it was the first to report it. Many indicators are only active for a short period of time, so the earlier they are included in a feed, the better.

Originator and Overlap

In the second chart, we have added the overlap percentage: what percentage of the data in a feed also appears in other feeds. Low overlap makes a feed very valuable, as it provides data no other feed provides, but the reverse isn’t automatically true: a feed may have a high overlap score, but still be very valuable because it is often the first to report observables. This is why we weigh the originator score more heavily than the overlap score.

If you have open source feeds you want us to add to the report please contact us. We will expand on this report each month.

If you want to evaluate your intelligence feeds please contact us to set up a trial. You can ingest your feed to the platform and receive statistics for the contents quickly with many more factors included than what is listed above.

List Of Open Source Feeds and Vendors

Name Vendor

UrlHaus Abuse.ch

OpenPhish OpenPhish

Malicious Domain Blacklist Rescure

Bot Scout Bot Scout

Tweetfeed URL Daniel López

BBCAN BBCAN177 PF Sense

CINS Army List IP CINS

Tweetfeed Daniel López

AlienVault Domain AlienVault

FeodoTracker Abuse.ch

ThreatFox recent domains Abuse.ch

Rutgers Rutgers

MalSilo Domain MalSilo

MiraiIp MiraiTracker

MalSilo IP MalSilo

Maltrail Maltrail

AlienVault IP AlienVault

Green Snow Green Snow

ThreatFox recent urls Abuse.ch

CyberCure IP CyberCure

Threat Fox recent IP Abuse.ch

Phishing Feed- New Today mitchell krogza

Emerging Threat IP Emerging Threat

BlockListIP blocklist.de

Malicious IP Blacklist Rescure

log4j-scanning Ips Greynoise

VX Vault VX Vault

List of Links To Feeds

Name url

UrlHaus url:”https://urlhaus.abuse.ch/downloads/csv_recent/”

OpenPhish url:”https://openphish.com/feed.txt”

Malicious Domain Blacklist url:”https://rescure.fruxlabs.com/rescure_domain_blacklist.txt”

Bot Scout url:”https://botscout.com/last_caught_cache.txt”

Tweetfeed URL url:”https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/today.csv”

BBCAN url:”https://gist.githubusercontent.com/BBcan177/4a8bf37c131be4803cb2/raw”

CINS Army List IP url:”https://cinsscore.com/list/ci-badguys.txt”

Tweetfeed url:”https://raw.githubusercontent.com/0xDanielLopez/TweetFeed/master/today.csv”

AlienVault Domain url:”https://otx.alienvault.com/api/v1/indicators/export?types=domain”

FeodoTracker url:”https://feodotracker.abuse.ch/downloads/ipblocklist.csv”

ThreatFox recent domains url:null

Rutgers url:”https://report.cs.rutgers.edu/DROP/attackers”

MalSilo Domain url:”https://malsilo.gitlab.io/feeds/dumps/domain_list.txt”

MiraiIp url:”https://mirai.security.gives/data/ip_list.txt”

MalSilo IP url:”https://malsilo.gitlab.io/feeds/dumps/ip_list.txt”

Maltrail url:”https://raw.githubusercontent.com/stamparm/aux/master/maltrail-malware-domains.txt”

AlienVault IP url:”https://otx.alienvault.com/api/v1/indicators/export?types=IP”

Green Snow url:”https://blocklist.greensnow.co/greensnow.txt”

ThreatFox official recent urls url:”https://threatfox.abuse.ch/export/csv/urls/recent/”

CyberCure IP url:”http://api.cybercure.ai/feed/get_ips”

Threat Fox recent IP url:”https://threatfox.abuse.ch/export/csv/ip-port/recent/”

Phishing Feed- New Today url:”https://raw.githubusercontent.com/mitchellkrogza/Phishing.Database/master/phishing-links-NEW-today.txt”

Emerging Threat IP url:”https://rules.emergingthreats.net/blockrules/compromised-ips.txt”

BlockListIP url:”http://api.blocklist.de/getlast.php”

Malicious IP Blacklist url:”https://rescure.me/rescure_blacklist.txt”

log4j-scanning Ips url:”https://gist.githubusercontent.com/gnremy/c546c7911d5f876f263309d7161a7217/raw/eac647ffb2e2cc1193be7e8b2f9cf96080278a04/CVE-2021-44228_IPs.csv”

VX Vault url:”http://vxvault.net/URL_List.php”

Pivoting: Finding Malware Domains Without Seeing Malicious Activity

May 28, 2019/in Blog/by Silent Push

It is part of the job of a threat actor to ensure the domains used in their campaigns blend in with the crowd and stay undetected for the duration of the campaign. It is part of the job of an analyst to spot such domains by looking for ways in which they still stand out.

Example

While looking through the trove of data on Silent Push, I spotted the domain cdn12-web-security[.]com. At first glance, this domain looks like a normal domain, part of the content delivery network of a web security service. However, it is slightly odd that more than three months after the domain was registered, cdnn-web-security[.]com doesn’t exist for any other n.

We have also learned to be a bit suspicious of these very normal looking domains: the main domain used in the SolarWinds supply-chain attack, avsvmcloud[.]com, remained undetected for months at least in part because it looks so very normal, seeming to belong to an AWS-like cloud service and hardly standing out among the domains you’ll see in your DNS logs.

On top of this, in the past month alone, we have seen cdn12-web-security[.]com point to no fewer than six different IP addresses in succession, which is fairly unusual:

80.249.147[.]241
47.91.92[.]75
80.249.147[.]144
47.254.131[.]6
8.208.87[.]225
8.208.101[.]136

Still, we have not seen any malicious activity linked to the domain. In fact, there does not appear to be any public activity linked to the domain at all, which suggests that whatever it is that the owners of the domain are doing, they keep it small enough to stay under the radar.

But let us look at the IP addresses. Two of them (80.249.147[.]241 and 80.249.147[.]144) belong to Russian hosting provider Selectel in Russia, while the other four belong to Alibaba’s US operations. In Silent Push’s systems, these two ASNs have fairly high (i.e. bad) IP reputation scores (35 and 28 respectively), which suggests a fair number of malicious URLs hosted there. It should be noted though this isn’t too uncommon for large cloud provider: Amazon AWS’s IP reputation score currently stands at 19.

Now let us look at the IP address to which the domain pointed to during the last week of January, 8.208.101[.]136, and see what else is hosted there.

During the last week in January, the domain secure-dns-resolve[.]com also pointed to this IP address. And for this domain we have public activity of both malware connecting to it and a phishing image hosted there. Interestingly, and almost certainly not coincidentally, was saw this domain point to the same six IP addresses throughout January, going through them in the same order.

Another domain name pointing to the same IP address is dns16-microsoft-health[.]com. Here too we find public evidence of malware that has connected to it. It will not surprise anyone that dnsn-microsoft-health.com doesn’t exist for any other n. The domain has also cycled through the same set of IP addresses we saw before.

This is also true for a fourth domain we saw pointing to 8.208.101[.]136 recently: cdn12-show-content[.]com. Here though we find no public evidence for activity linked to this domain, malicious or not.

Still, given the many similarities, we are confident to say cdn12-web-security[.]com and cdn12-show-content[.]com are operated by the same actors who also operate secure-dns-resolve[.]com and dns16-microsoft-health[.]com and should be blocked just as much. The same is true for a fifth domain, ms-health-monitor[.]com, which has been linked to malware and which was taken down in January.

Another thing that links these five domains is the use of DNSPod’s name servers, which have a not too great reputation of 18 in Silent Push’s systems.

These five domains aren’t the only ones linked to the mentioned IP addresses. For example, righttime4mercy[.]com currently points to 80.249.147[.]144; this domain has been linked to a Hancitor malspam campaign in the past.

It may thus be that behind these IP addresses are managed by a bulletproof hosting provider which rents out its infrastructure to malicious actors and shields them from takedown requests. The Hancitor domain may thus be unrelated to the other five, though of course no less malicious.

Conclusion

Pivoting around an IP address or a domain name isn’t generally a very reliable way to link malicious activity, given the wide use of shared and compromised infrastructure, as well as the use of false flags by more advanced actors. However, it should not be totally ignored either.

We started from a single interesting looking domain for which no malicious activity could be found. Through the Silent Push API and with the help of a few search engine searches, we were able to link it to an active malware campaign, and possibly found part of a bulletproof hosting operation.

Investigating Crimeware Name Servers

May 28, 2019/in Blog/by Silent Push Threat Team

Very few security products and services give enough consideration to the reputation and quality of the name server associated with the domains they are looking at.

Example

In this example, we pick a High Value Suspicious Domain and check what else is on the same name server to examine what is discovered through the process.

Our seeding domain will be service-update[.]link
Looking at the name server info from our API

“domain”: “service-update[.]link”,

“ns_avg_ttl”: 4149,

“ns_domain”: “dendrite.network”,

“num_domains”: 203,

This is a low density name server where we have only seen 203 domains on it. It has a very low average TTL across all the domains on there which may suggest a lot of changes compared to other name servers.

A quick lookup using our explore API gives us a number of suspicious domains with matching characteristics. These appear to be in two groups.

Group 1:

Commonalities- Tech related theme. Nameserver domain- dendrite.network. Have an A record-AS holder ColoCrossing- Registrar Namesilo- “address”: “Tavernier St., Wall House”,

“city”: “Loubiere”,

“country”: “DM”,

Domain	PTR Record	Potential Target	Registrar
update-support[.]network	*colocrossing.com	3 Mobile UK	Registrar
service-update[.]link	*colocrossing.com	Live soon	Registrar
hs-securealerts[.]com	*colocrossing.com	HSBC	Registrar
ref0948a[.]com	*colocrossing.com	unknown	Registrar
ref0948a[.]com	*colocrossing.com	HMRC	Registrar
aem-new[.]com	*colocrossing.com	3 Mobile UK	Registrar
aempath[.]com	*colocrossing.com	3 Mobile UK	Registrar
com-gb[.]mobi	*colocrossing.com	Mobile UK	Registrar

It appears that Group 1 have either been used maliciously already or are waiting to be used maliciously. Monitoring the “waiting” group for changes is key as this may lead to being able to block their activity once the domain moves into an actively malicious mode. There are a number of ways to do this, such as monitoring for new changes in DNS or associated records. Moving of infrastructure can often mark an activation of a malicious domain. A good example of this is when the domain avsvmcloud[.]com was activated for the Solarwinds breach, it switched to its own name servers for the active part of the campaign.

Group 2:

This group seems to lead to more and more indicators so I’ll post them over time.

Commonalities- Tech related theme. Nameserver domain- dendrite.network. Domains have been aged. Have an A record-AS holder Nice IT Services Group Inc.

– Registrar Namesilo- “address”: “Tavernier St., Wall House”,

“city”: “Loubiere””country”: “DM

Domain	AS Name of IP	Potential Target	Registrar
Paypalservice[.]support	Nice IT Services	Paypal	Namesilo
small-url[.]cc	Nice IT Services	adobe and others	Namesilo
election[.]finance	Nice IT Services	malware download	Namesilo
Ulsterbankonlineltd[.]com	Nice IT Services	Ulster Bank(RBS)	Namesilo
Choicebank[.]online	Nice IT Services	Choice Bank/First Choice	Namesilo
Documentcloud[.]pw	Nice IT Services	adobe and others	Namesilo
rbscotland-online[.]com	Nice IT Services	Royal Bank of Scotland	Namesilo
Btctools[.]net	Nice IT Services	Bitcoin Wallet stealer	Namesilo
gb-kpmg[.]com	Nice IT Services	KPMG	Namesilo
secure-id[.]cloud	Nice IT Services	Secure ID	Namesilo
service-ca-verification[.]com	Nice IT Services	Flagged as spammer	Namesilo
Teamtnt[.]red	Nice IT Services	Malware Downloads	Namesilo

So just touching on these two groups based on similarities, these of course could be one group, this name server is very heavily used by malicious actors and definitely one threat actor group called Team TNT.

How can I use this information?

All the information above was collected by our API and can be leveraged for threat hunting or detections. The information is pre-collected and cached so new lookups don’t have to be done each time you have a new indicator to check. We’ve already collected all this information and run some analysis on it to give things like reputation scores for the name server, the AS number reputation, the subnet reputation etc.

A security team can use Yara rules over this information to try and find “High Value Malicious Domains “ in their logs or associated IP addresses.

We also have threat hunting API endpoints that gather behavioral clusters for you so you can quickly create your own new intelligence, or we can do it for you.

Ready to get started? Request a demo of our platform today by clicking the button below:

Request a demo

High Value Malicious Domains

May 28, 2019/in Blog/by Silent Push Threat Team

Malicious domains vary enormously in quality depending on the use case and the expected lifespan of the proposed campaign. For example, if someone was running a phishing campaign and wanted to fool a user into clicking a link, the domain used for the link may not even matter if it is masked in the email and the user is going to believe they are clicking on something else in the HTML. A low value malicious domain is likely to be used in this scenario. This could involve something as easy as registering a subdomain similar to the intended victim as part of a dynamic domain service such as noip[.]org.

Example:

hxxps://voicenett.serveftp[.]com/6s17aiqf1hczfv7e

These don’t necessarily need to survive for long depending on what the next stage of the planned attack is, and can be redirected to any desired payload.

Next in the stack would be similar domains to the victim or the victims supply chain. These can work very well particularly for email campaigns.

Some recent examples from threat feeds would be:

Level 2

loop.microsoftmse[.]com

wellsconfirm-account[.]com

aliorbank[.]io

The use case may this time be to put in the reply-to field of an email as an example. Business Email Compromise would be a typical example. Its a little more visible to the victim and therefore needs to be convincing.

On the next tier would be domains that stand out by themselves and look like they would provide a valid service. These are getting into the high value territory now as there may not be an obvious reason to block them. They don’t look like another domain to be caught by a typo squatting rule and may not look anomalous in network traffic, or the service copied is very generic like Microsoft. However the use case is different to those mentioned before as it may not be email related.

Level 3

microsoftupdateswin[.]com

serviceupdates[.]net

servicesupdater[.]com

These are very convincing and can be used for long standing campaigns and may survive for a period of time. This also results in these domains being recycled and reused over the years, even if they have previously been taken down after being discovered being involved in malicious activity.

Differentiating after this is broken down into tactics and procedures of the attacker and things get quite difficult. In order not to give away too much of the defenders toolkit I won’t go into further detail on this.

Examples From UNC2452 also known as Dark Halo/Sunburst:

So, now to the indicators from the recent breaches that have been revealed so far.

Nearly all the domains fit into the level 3 category and some would fit into a category higher due to associated tactics. Firstly they used one main domain which was critical to their campaign.

Avsvmcloud[.]com

This was further broken down into various subdomains using a Domain Generation Algorithm. Some good work was done on uncovering the links to victim names here.

This primary domain had its own Nameserver which only had one domain on it:

“domain”: “avsvmcloud[.]com”,

“to_ns_srv_domain_density”: {

“a1-139.avsvmcloud[.]com”: 1,

“a11-64.avsvmcloud[.]com”: 1,

“a20-65.avsvmcloud[.]com”: 1,

“a26-67.avsvmcloud[.]com”: 1,

“a4-65.avsvmcloud[.]com”: 1,

“a6-66.avsvmcloud[.]com”: 1

The domain switched to using this name server on 27th February 2020 around the time the attack began.

The list of Nameserver changes for this domain is here:

NS Changes. 2

“date”: 20191207,

“days_ago”: 374,

“domain”: “avsvmcloud[.]com”,

“from_nameservers”: [

“ns1.dnsowl.com”,

“ns2.dnsowl.com”,

“ns3.dnsowl.com”

“to_nameservers”: [

“pdns09.domaincontrol.com”,

“pdns10.domaincontrol.com”

“date”: 20200227,

“days_ago”: 292,

“domain”: “avsvmcloud.]com”,

“to_ns_srv_domain_density”: {

“a1-139.avsvmcloud.com”: 1,

“a11-64.avsvmcloud.com”: 1,

“a20-65.avsvmcloud.com”: 1,

“a26-67.avsvmcloud.com”: 1,

“a4-65.avsvmcloud.com”: 1,

“a6-66.avsvmcloud.com”: 1

Switching of name servers just before a campaign signifies a management process around attacker infrastructure and that is the case for most of the domains in this campaign. Therefore we give these types of domains a higher category of “Managed High Value Malicious Domains” In our API for our Threat Intelligence enrichment we capture this concept with the field of NameServer Entropy.

The rest of the domains have a similar profile except they use a shared NameServer:

Domain

Avsvmcloud[.]com

Freescanonline[.]com

Zupertech[.]com

Panhardware[.]com

Databasegalore[.]com

Incomeupdate[.]com

Highdatabase[.]com

Websitetheme[.]com

Thedoccloud[.]com

Virtualdataserver[.]com

Lcomputers[.]com

Webcodez[.]com

deftsecurity[.]com

digitalcollege[.]org

globalnetworkissues[.]com

kubecloud[.]com

seobundlekit[.]com

solartrackingsystem[.]net

virtualwebdata[.]com

To push this idea to the next stage is to see if you can evolve this profile and use it to hunt for more similar domains and see if this technique is more widespread.

Creating a query to look for similar profiles to the main domain which had to operate from its own nameserver may lead to other instances of actors using the same technique.

This leads us to a list of very useful domains that have been registered in a similar pattern as the original avsvmcloud[.]com. This does not mean these are in any way malicious, just worthy of a further look.

Updates[.]run

fedora-dns-update[.]com was associated with APT22 (Suckfly)back between 2014-2016 but unknown now

virtualserverfaq[.]com

microsoftsonline[.]net -which has already been identified in a different breach claimed to be APT41

microlynconline[.]com -which has already been identified in a different breach claimed to be APT27

The list is much longer but very much speculation, so we won’t list any more in a public forum. Threat Hunters can use this profiling methodology to query datasets (such as from Silent Push) to draw a list of candidates worthy of monitoring. Keeping an internal Passive DNS service going on your own organizational traffic and hunting on all newly encountered domains within that to correlate with the list of profiled domains would also be worth doing.

It is also worthwhile searching within the vast volume of threat indicators you receive for “High Value Domains” and treating them differently. We have made this available in the advanced filtering part of the Threat Intelligence Analysts interface.

Our Silent Push enrichment service is now available to Beta customers and those on our customer advisory board. If you would like to join us building out this service to suit your requirements please join our Beta program.