Page 54 – Silent Push

Pivoting: Finding Malware Domains Without Seeing Malicious Activity

May 28, 2019/in Blog/by Silent Push

It is part of the job of a threat actor to ensure the domains used in their campaigns blend in with the crowd and stay undetected for the duration of the campaign. It is part of the job of an analyst to spot such domains by looking for ways in which they still stand out.

Example

While looking through the trove of data on Silent Push, I spotted the domain cdn12-web-security[.]com. At first glance, this domain looks like a normal domain, part of the content delivery network of a web security service. However, it is slightly odd that more than three months after the domain was registered, cdnn-web-security[.]com doesn’t exist for any other n.

We have also learned to be a bit suspicious of these very normal looking domains: the main domain used in the SolarWinds supply-chain attack, avsvmcloud[.]com, remained undetected for months at least in part because it looks so very normal, seeming to belong to an AWS-like cloud service and hardly standing out among the domains you’ll see in your DNS logs.

On top of this, in the past month alone, we have seen cdn12-web-security[.]com point to no fewer than six different IP addresses in succession, which is fairly unusual:

80.249.147[.]241
47.91.92[.]75
80.249.147[.]144
47.254.131[.]6
8.208.87[.]225
8.208.101[.]136

Still, we have not seen any malicious activity linked to the domain. In fact, there does not appear to be any public activity linked to the domain at all, which suggests that whatever it is that the owners of the domain are doing, they keep it small enough to stay under the radar.

But let us look at the IP addresses. Two of them (80.249.147[.]241 and 80.249.147[.]144) belong to Russian hosting provider Selectel in Russia, while the other four belong to Alibaba’s US operations. In Silent Push’s systems, these two ASNs have fairly high (i.e. bad) IP reputation scores (35 and 28 respectively), which suggests a fair number of malicious URLs hosted there. It should be noted though this isn’t too uncommon for large cloud provider: Amazon AWS’s IP reputation score currently stands at 19.

Now let us look at the IP address to which the domain pointed to during the last week of January, 8.208.101[.]136, and see what else is hosted there.

During the last week in January, the domain secure-dns-resolve[.]com also pointed to this IP address. And for this domain we have public activity of both malware connecting to it and a phishing image hosted there. Interestingly, and almost certainly not coincidentally, was saw this domain point to the same six IP addresses throughout January, going through them in the same order.

Another domain name pointing to the same IP address is dns16-microsoft-health[.]com. Here too we find public evidence of malware that has connected to it. It will not surprise anyone that dnsn-microsoft-health.com doesn’t exist for any other n. The domain has also cycled through the same set of IP addresses we saw before.

This is also true for a fourth domain we saw pointing to 8.208.101[.]136 recently: cdn12-show-content[.]com. Here though we find no public evidence for activity linked to this domain, malicious or not.

Still, given the many similarities, we are confident to say cdn12-web-security[.]com and cdn12-show-content[.]com are operated by the same actors who also operate secure-dns-resolve[.]com and dns16-microsoft-health[.]com and should be blocked just as much. The same is true for a fifth domain, ms-health-monitor[.]com, which has been linked to malware and which was taken down in January.

Another thing that links these five domains is the use of DNSPod’s name servers, which have a not too great reputation of 18 in Silent Push’s systems.

These five domains aren’t the only ones linked to the mentioned IP addresses. For example, righttime4mercy[.]com currently points to 80.249.147[.]144; this domain has been linked to a Hancitor malspam campaign in the past.

It may thus be that behind these IP addresses are managed by a bulletproof hosting provider which rents out its infrastructure to malicious actors and shields them from takedown requests. The Hancitor domain may thus be unrelated to the other five, though of course no less malicious.

Conclusion

Pivoting around an IP address or a domain name isn’t generally a very reliable way to link malicious activity, given the wide use of shared and compromised infrastructure, as well as the use of false flags by more advanced actors. However, it should not be totally ignored either.

We started from a single interesting looking domain for which no malicious activity could be found. Through the Silent Push API and with the help of a few search engine searches, we were able to link it to an active malware campaign, and possibly found part of a bulletproof hosting operation.

Investigating Crimeware Name Servers

May 28, 2019/in Blog/by Silent Push Threat Team

Very few security products and services give enough consideration to the reputation and quality of the name server associated with the domains they are looking at.

Example

In this example, we pick a High Value Suspicious Domain and check what else is on the same name server to examine what is discovered through the process.

Our seeding domain will be service-update[.]link
Looking at the name server info from our API

“domain”: “service-update[.]link”,

“ns_avg_ttl”: 4149,

“ns_domain”: “dendrite.network”,

“num_domains”: 203,

This is a low density name server where we have only seen 203 domains on it. It has a very low average TTL across all the domains on there which may suggest a lot of changes compared to other name servers.

A quick lookup using our explore API gives us a number of suspicious domains with matching characteristics. These appear to be in two groups.

Group 1:

Commonalities- Tech related theme. Nameserver domain- dendrite.network. Have an A record-AS holder ColoCrossing- Registrar Namesilo- “address”: “Tavernier St., Wall House”,

“city”: “Loubiere”,

“country”: “DM”,

Domain	PTR Record	Potential Target	Registrar
update-support[.]network	*colocrossing.com	3 Mobile UK	Registrar
service-update[.]link	*colocrossing.com	Live soon	Registrar
hs-securealerts[.]com	*colocrossing.com	HSBC	Registrar
ref0948a[.]com	*colocrossing.com	unknown	Registrar
ref0948a[.]com	*colocrossing.com	HMRC	Registrar
aem-new[.]com	*colocrossing.com	3 Mobile UK	Registrar
aempath[.]com	*colocrossing.com	3 Mobile UK	Registrar
com-gb[.]mobi	*colocrossing.com	Mobile UK	Registrar

It appears that Group 1 have either been used maliciously already or are waiting to be used maliciously. Monitoring the “waiting” group for changes is key as this may lead to being able to block their activity once the domain moves into an actively malicious mode. There are a number of ways to do this, such as monitoring for new changes in DNS or associated records. Moving of infrastructure can often mark an activation of a malicious domain. A good example of this is when the domain avsvmcloud[.]com was activated for the Solarwinds breach, it switched to its own name servers for the active part of the campaign.

Group 2:

This group seems to lead to more and more indicators so I’ll post them over time.

Commonalities- Tech related theme. Nameserver domain- dendrite.network. Domains have been aged. Have an A record-AS holder Nice IT Services Group Inc.

– Registrar Namesilo- “address”: “Tavernier St., Wall House”,

“city”: “Loubiere””country”: “DM

Domain	AS Name of IP	Potential Target	Registrar
Paypalservice[.]support	Nice IT Services	Paypal	Namesilo
small-url[.]cc	Nice IT Services	adobe and others	Namesilo
election[.]finance	Nice IT Services	malware download	Namesilo
Ulsterbankonlineltd[.]com	Nice IT Services	Ulster Bank(RBS)	Namesilo
Choicebank[.]online	Nice IT Services	Choice Bank/First Choice	Namesilo
Documentcloud[.]pw	Nice IT Services	adobe and others	Namesilo
rbscotland-online[.]com	Nice IT Services	Royal Bank of Scotland	Namesilo
Btctools[.]net	Nice IT Services	Bitcoin Wallet stealer	Namesilo
gb-kpmg[.]com	Nice IT Services	KPMG	Namesilo
secure-id[.]cloud	Nice IT Services	Secure ID	Namesilo
service-ca-verification[.]com	Nice IT Services	Flagged as spammer	Namesilo
Teamtnt[.]red	Nice IT Services	Malware Downloads	Namesilo

So just touching on these two groups based on similarities, these of course could be one group, this name server is very heavily used by malicious actors and definitely one threat actor group called Team TNT.

How can I use this information?

All the information above was collected by our API and can be leveraged for threat hunting or detections. The information is pre-collected and cached so new lookups don’t have to be done each time you have a new indicator to check. We’ve already collected all this information and run some analysis on it to give things like reputation scores for the name server, the AS number reputation, the subnet reputation etc.

A security team can use Yara rules over this information to try and find “High Value Malicious Domains “ in their logs or associated IP addresses.

We also have threat hunting API endpoints that gather behavioral clusters for you so you can quickly create your own new intelligence, or we can do it for you.

Ready to get started? Request a demo of our platform today by clicking the button below:

Request a demo

High Value Malicious Domains

May 28, 2019/in Blog/by Silent Push Threat Team

Malicious domains vary enormously in quality depending on the use case and the expected lifespan of the proposed campaign. For example, if someone was running a phishing campaign and wanted to fool a user into clicking a link, the domain used for the link may not even matter if it is masked in the email and the user is going to believe they are clicking on something else in the HTML. A low value malicious domain is likely to be used in this scenario. This could involve something as easy as registering a subdomain similar to the intended victim as part of a dynamic domain service such as noip[.]org.

Example:

hxxps://voicenett.serveftp[.]com/6s17aiqf1hczfv7e

These don’t necessarily need to survive for long depending on what the next stage of the planned attack is, and can be redirected to any desired payload.

Next in the stack would be similar domains to the victim or the victims supply chain. These can work very well particularly for email campaigns.

Some recent examples from threat feeds would be:

Level 2

loop.microsoftmse[.]com

wellsconfirm-account[.]com

aliorbank[.]io

The use case may this time be to put in the reply-to field of an email as an example. Business Email Compromise would be a typical example. Its a little more visible to the victim and therefore needs to be convincing.

On the next tier would be domains that stand out by themselves and look like they would provide a valid service. These are getting into the high value territory now as there may not be an obvious reason to block them. They don’t look like another domain to be caught by a typo squatting rule and may not look anomalous in network traffic, or the service copied is very generic like Microsoft. However the use case is different to those mentioned before as it may not be email related.

Level 3

microsoftupdateswin[.]com

serviceupdates[.]net

servicesupdater[.]com

These are very convincing and can be used for long standing campaigns and may survive for a period of time. This also results in these domains being recycled and reused over the years, even if they have previously been taken down after being discovered being involved in malicious activity.

Differentiating after this is broken down into tactics and procedures of the attacker and things get quite difficult. In order not to give away too much of the defenders toolkit I won’t go into further detail on this.

Examples From UNC2452 also known as Dark Halo/Sunburst:

So, now to the indicators from the recent breaches that have been revealed so far.

Nearly all the domains fit into the level 3 category and some would fit into a category higher due to associated tactics. Firstly they used one main domain which was critical to their campaign.

Avsvmcloud[.]com

This was further broken down into various subdomains using a Domain Generation Algorithm. Some good work was done on uncovering the links to victim names here.

This primary domain had its own Nameserver which only had one domain on it:

“domain”: “avsvmcloud[.]com”,

“to_ns_srv_domain_density”: {

“a1-139.avsvmcloud[.]com”: 1,

“a11-64.avsvmcloud[.]com”: 1,

“a20-65.avsvmcloud[.]com”: 1,

“a26-67.avsvmcloud[.]com”: 1,

“a4-65.avsvmcloud[.]com”: 1,

“a6-66.avsvmcloud[.]com”: 1

The domain switched to using this name server on 27th February 2020 around the time the attack began.

The list of Nameserver changes for this domain is here:

NS Changes. 2

“date”: 20191207,

“days_ago”: 374,

“domain”: “avsvmcloud[.]com”,

“from_nameservers”: [

“ns1.dnsowl.com”,

“ns2.dnsowl.com”,

“ns3.dnsowl.com”

“to_nameservers”: [

“pdns09.domaincontrol.com”,

“pdns10.domaincontrol.com”

“date”: 20200227,

“days_ago”: 292,

“domain”: “avsvmcloud.]com”,

“to_ns_srv_domain_density”: {

“a1-139.avsvmcloud.com”: 1,

“a11-64.avsvmcloud.com”: 1,

“a20-65.avsvmcloud.com”: 1,

“a26-67.avsvmcloud.com”: 1,

“a4-65.avsvmcloud.com”: 1,

“a6-66.avsvmcloud.com”: 1

Switching of name servers just before a campaign signifies a management process around attacker infrastructure and that is the case for most of the domains in this campaign. Therefore we give these types of domains a higher category of “Managed High Value Malicious Domains” In our API for our Threat Intelligence enrichment we capture this concept with the field of NameServer Entropy.

The rest of the domains have a similar profile except they use a shared NameServer:

Domain

Avsvmcloud[.]com

Freescanonline[.]com

Zupertech[.]com

Panhardware[.]com

Databasegalore[.]com

Incomeupdate[.]com

Highdatabase[.]com

Websitetheme[.]com

Thedoccloud[.]com

Virtualdataserver[.]com

Lcomputers[.]com

Webcodez[.]com

deftsecurity[.]com

digitalcollege[.]org

globalnetworkissues[.]com

kubecloud[.]com

seobundlekit[.]com

solartrackingsystem[.]net

virtualwebdata[.]com

To push this idea to the next stage is to see if you can evolve this profile and use it to hunt for more similar domains and see if this technique is more widespread.

Creating a query to look for similar profiles to the main domain which had to operate from its own nameserver may lead to other instances of actors using the same technique.

This leads us to a list of very useful domains that have been registered in a similar pattern as the original avsvmcloud[.]com. This does not mean these are in any way malicious, just worthy of a further look.

Updates[.]run

fedora-dns-update[.]com was associated with APT22 (Suckfly)back between 2014-2016 but unknown now

virtualserverfaq[.]com

microsoftsonline[.]net -which has already been identified in a different breach claimed to be APT41

microlynconline[.]com -which has already been identified in a different breach claimed to be APT27

The list is much longer but very much speculation, so we won’t list any more in a public forum. Threat Hunters can use this profiling methodology to query datasets (such as from Silent Push) to draw a list of candidates worthy of monitoring. Keeping an internal Passive DNS service going on your own organizational traffic and hunting on all newly encountered domains within that to correlate with the list of profiled domains would also be worth doing.

It is also worthwhile searching within the vast volume of threat indicators you receive for “High Value Domains” and treating them differently. We have made this available in the advanced filtering part of the Threat Intelligence Analysts interface.

Our Silent Push enrichment service is now available to Beta customers and those on our customer advisory board. If you would like to join us building out this service to suit your requirements please join our Beta program.