Page 55 – Silent Push

The Manipulaters Team Blog Post

December 8, 2021/in Blog/by Silent Push Threat Team

In a recent blog post, security journalist Brian Krebs wrote about the Manipulaters Team, which is a group of Pakistani hackers who sell spam and malware tools online and are believed to be behind the fake identity of Saim Raza, a dark web threat actor.

They refer to their tools as “FUD” — which stands for Fully-Un-Detectable — as they advertise their products as being unnoticeable to antivirus or anti-spam programs.

The group’s low willingness to hide their work is evident when a simple Internet search like “Fudtools” or “Fudpage” was enough to find a few of the group’s phishing selling websites, as well as a Youtube channel.

After analyzing each one of this domains using the Domain Lookup, Enrich Domain and Enrich IP features on the Silent Push App, I found that:

the domains used either *.blazingfast.io or *.cloudflare.com as nameservers;
the vast majority of them were registered through Internet Domain Service BS Corp., but a few were registered through R01-SU, RU-CENTER-RU or Sav.comLLC;
the IP addresses that host them belong to either Netsolutions (AS47674) or Cloudflare (AS13335);
the domains have clear domain name patterns, in particular *fud*, *tool*, *page*, *sender* or *spam*.

I found a lot more domains with these name patterns through the Silent Push API and its passive DNS features, by using various combinations of the nameservers, AS name and registrar previously found as parameters.

To complete the search, the IP addresses that host the domains I discovered were analyzed using the IP Lookup feature on Silent Push App, which revealed more domains managed by this group. The full list of IOCs can be found below.

The domains are also available to Silent Push customers in a feed called ‘Manipulaters’, which continues to be updated.

IOC list (active domains)

16shopscampages[.]com

antibotspanel[.]com

bulktools[.]su

buyfreshtools[.]com

buyscampage[.]com

buyspamtools[.]com

claysender[.]com

claysendervideos[.]com

d29sender[.]com

freespamtool[.]com

freshfudpages[.]com

freshscampages[.]com

freshscamtool[.]com

freshscamtools[.]com

freshspamtool[.]com

freshspamtoolshop[.]com

freshspamtoolvideos[.]com

freshtoolsx[.]com

fu-inboxsender[.]ru

fudbilling[.]com

fudbulktool[.]com

fudbulktools[.]com

fudcoder[.]com

fudcodertools[.]com

fudfreshtools[.]io

fudfreshtools[.]ru

fudfreshtoolshop[.]com

fudletter[.]com

fudlinkheartsender[.]com

fudlinkpages[.]com

fudlinkshop[.]com

fudninja[.]com

fudpages[.]store

fudpagetools[.]com

fudpagevideos[.]com

fudscam[.]com

fudscampage[.]com

fudscampages[.]com

fudscams[.]net

fudscamtool[.]com

fudsell[.]com

fudsender[.]com

fudsenderstore[.]com

fudspam[.]com

fudspam[.]su

fudspamtoolshop[.]com

fudspamvideos[.]com

fudteambilling[.]com

fudtool[.]com

fudtool[.]ru

fudtoolmarket[.]com

fudtoolshop[.]com

fudtoolvideos[.]com

fudtoolx[.]com

gxsender[.]com

heartsender[.]com

heartsender[.]net

heartsenderpages[.]com

heartsenderscampages[.]com

heartsendervideos[.]com

manipulate[.]cc

mrcodertools[.]com

newscampages[.]com

newspamtools[.]com

officeinboxsender[.]com

scampage2021[.]com

scampages2021[.]com

scampagesnew[.]com

scampagespro[.]com

spammingshop[.]com

spammingtoolshop[.]com

spamtools[.]ru

spamtoolstore[.]com

spamtoolx[.]com

thisistool[.]com

xleetshop[.]com

Silent Push threat data now available in Splunk

December 4, 2021/in News, Press Releases/by Josue

We’re thrilled to announce the Silent Push Splunk Add-On. The add-on is intended to collect prioritized observables from the Silent Push App then make them directly available in a Splunk Enterprise instance.

Additionally, the Silent Push app can be fully integrated into existing cyber security systems, strengthening the capabilities of existing cyber security teams.

Key Benefits

Exposing high-risk and hard-to-detect attacker infrastructure in an easy-to-consume API, including live infrastructure of top access brokers.
Enrichment of existing CTI feeds; scored and ranked by importance.
Silent Push-generated feeds focused on threats that specifically affect your organization.
A variety of groundbreaking security tools, including the explore tool for finding similar and related infrastructure and the ability to save prioritized indicators suitable for specific security tools such as email security services or firewalls.

The Silent Push Threat Intelligence – Splunk Add-On is available immediately. Contact [email protected] for general inquiries. There’s also a tutorial video here: https://www.silentpush.com/blog/threat-intelligence-app-for-splunk-now-available

Privacy Tools (Not) for You

December 3, 2021/in Blog/by Silent Push Threat Team

While looking through one of the malicious domain feeds managed for Silent Push customers, three interesting domains were noticed:

privacytoolzforyou-7000[.]com
privacytoolzfor-you7000[.]com
privacy-tools-for-you-777[.]com

Curious to learn what was on these domains, the last one was opened in a safe environment. It was registered only yesterday (the other two domains were registered on 19 November), is currently live and was not detected by Safe Browsing, to which it has since been reported.

The site suggests it offers privacy tools as a “secure & easy way to file protect”:

The design of the website looks pretty slick and while clearly not written by a native speaker of English, it includes cute bits such as:

The options to sign in to the website or to purchase the full version of the product don’t appear to work (nor should one expect them to: the site is served over unencrypted HTTP), but thankfully there is a trial version that can be used.

The links to macOS and Linux versions of the product don’t work, but the download for Windows works. It serves a Windows executable from:

http://privacy-tools-for-you-777[.]com/downloads/installer.exe

Unsurprisingly, the downloaded file received isn’t a privacy tool at all, but a piece of malware. It has SHA256 hash 47906fc0ac7d3be54c62933e5f66a285cd34f161ce1d8a1bbdf80dc2e1df1441, though URlhaus reports that many others files have been served from the same URL.

All of these files have been detected as SmokeLoader, an old but still active malware downloader that has been used to serve other kinds of malware, such as the RedLine and Raccoon infostealers.

A search for similar domains in Silent Push’s database gave 26 domains in total, such as privacy-toolz-for-you-3000[.]top and privacytoolsforyoufree[.]xyz, some going back as early as June of this year (see the full list at the bottom of this post).

Most of these were active for a few weeks or even less. There is strong evidence to suggest they were run by the same actor and also served SmokeLoader; see for example this entry in URLhaus. This Proofpoint blog post, which shows the same Privacy Tools website, suggests the campaign may go back even further.

The campaign switched to its current bulletproof hosting provider, which is currently being tracked, some time in September.

Rogue file hosters

Interestingly, the malicious file downloaded has also been served from host-data-coin-11[.]com. This is likely more than a coincidence: the file is on the same Silent Push feed and uses the same bulletproof infrastructure. A search for domains with a similar pattern returned eighteen more domains, all of which use the same infrastructure.

At least one of these domains is still active and after clicking through the Safe Browsing warning, ended up on a ‘Superstar file hosting’ website.

A file was able to be selected from a computer — only .exe files appear to be allowed — and uploaded, after which a URL was provided that did indeed serve the very same file that had uploaded. The same URL pattern has been seen in malware served from those domains and seems likely that this front-end has also been used by the actors themselves.

Interestingly, some of these domains also appear to have been served as C2 domains for SmokeLoader, as can be seen in this sandbox report.

Conclusion

It is unclear what the exact link is between the two kinds of domains, but it is very likely they are operated by the same actor.

It is also unclear in what context the URLs were served, but it’s possible that they have been distributed in specific places, such as forums for cryptocurrency enthusiasts, which are a popular target for infostealers.

Silent Push maintains many feeds for its customers, that often include domains like the ones mentioned in the blog post, even before they become active. The Silent Push API, which supports regular expressions, allowed me to search for similar domains.

Indicators of compromise

Fake privacy tools:

privacy-tools-for-you-777[.]com
privacy-toolz-for-you-3000[.]top
privacy-toolz-for-you-403[.]top
privacy-toolz-for-you-404[.]top
privacy-toolz-for-you-5000[.]top
privacy-toolz-for-you-502[.]top
privacy-toolz-for-you-503[.]top
privacytools-for-you3000[.]xyz
privacytools1234foryou[.]xyz
privacytoolsforyou[.]xyz
privacytoolsforyoufree[.]xyz
privacytoolz123foryou[.]club
privacytoolz123foryou[.]top
privacytoolz123foryou[.]xyz
privacytoolzfor-you5000[.]top
privacytoolzfor-you6000[.]top
privacytoolzfor-you7000[.]com
privacytoolzfor-you7000[.]top
privacytoolzforyou-5000[.]top
privacytoolzforyou-6000[.]top
privacytoolzforyou-7000[.]com
privacytoolzforyou-7000[.]top
privacytoolzforyou[.]xyz
privacytoolzforyou5000[.]top
privacytoolzforyou6000[.]top
privacytoolzforyou7000[.]top

File hosters and/or SmokeLoader C2:

coin-coin-coin-2[.]com
file-file-file1[.]com
file-file-file2[.]com
file-file-host4[.]com
file-file-host6[.]com
file-file-host8[.]com
file-host-host0[.]com
file-host-host6[.]com
host-coin-data-1[.]com
host-data-coin-11[.]com
host-file-file0[.]com
host-file-file4[.]com
host-file-host-3[.]com
host-file-host0[.]com
host-file-host6[.]com
host-file-host9[.]com
host-host-file6[.]com
host-host-file8[.]com
host-host-host5[.]com

Would you like to use our feeds or platform to protect your organization? Please contact Silent Push so we can help you.

Finding the 98% of unknown attacker activity

November 24, 2021/in Blog/by Silent Push

It has been said by industry leaders that analysts can only see, at best, 2% of what the bad guys are up to on any given day.

https://videos.sproutvideo.com/embed/ea9dd7b91610e7c263/3d6988abe61cc472?

That leaves analysts and SOC teams with an uphill battle to find and defend their organizations from the other 98% of their activity.

Using TTP based detection, based on DNS artefacts, to uncover attacker infrastructure is a new field of threat intelligence and a field that is far more useful for providing proactive defense than previous efforts.

What is TTP based detection for uncovering attacker infrastructure?

This means analysts can look for evidence left behind from attacker management processes and day to day tactics that leave trace evidence, mostly in DNS, that allows analysts to uncover the rest of a campaign they have set up.

There are many aspects to this and different pieces of evidence that analysts look for, which it is better not to reveal in a public forum. Some of the ideas are slightly revealed in previous Silent Push blog posts like New Attributes, or malicious infrastructure, which show some parts of the simpler end of things.

However to truly uncover the 98% of unknown it takes a well organized research cycle to deliver new attributes and insights which then get tested with Machine assisted learning before being tested with our behavior clustering. The result is being able to expand the knowledge of a campaign from what is known by traditional security products to the unknown portion, the 98%. With this information network defenders can really defend themselves against what is coming.

Silent Push is all about revealing that 98% to their customers. Not just that, they’re also about revealing the underlying characteristics that allow threat intelligence teams find what they need for their organization.

Portuguese Bank phishing

November 12, 2021/in Blog/by Silent Push Threat Team

Click here for a Portuguese version of this post.

A few weeks ago, Afonso received a text message on his phone (in Portuguese) that translated to:

“Avoid blocking your account: Please access loguin-novobanco[.]com”

As in most phishing schemes, the malicious domain tries to impersonate the real one and this was no exception. Afonso was clearly able to spot the word ‘loguin’ (‘login’ in Portuguese), so he decided to investigate a bit further.

Using the Silent Push App, Afonso ran a domain lookup to see what I could find.

At the time, the domain was being hosted on 13.66.4[.]22.

The first thing Afonso did was to investigate other domains on the same IP address and then on the same subnet. For that, Afonso used the reverse IP lookup function. Since nothing interesting came up on the subnet, he decided just to search what else he could find on the same IP address:

This led to plenty of other bank phishing domains such as:

montepio-app[.]com, which spoofs Portuguese bank Montepio.

appitau-tarjeta.puntosarescatar[.]com, which spoofs a Brazilian bank.

Most of the domains were created less than a week earlier, so this meant Afonso could track everything from the beginning.

After checking on each domain, Afonso found they all used kinghostbr.*.orderbox-dns[.]com as nameservers. He decided to use the Silent Push API to see if he could find any other suspicious domains using these nameservers, and found Santander Bank spoofing domains, which had been taken down already.

All the domains Afonso found did not seem have an active website at the time of my research, most just redirected to a photography page.

Indicators of Compromise

loguin-novobanco[.]com

novobanco-loguin[.]com

app-novobanco[.]com

novobanco-cashadvanced[.]bwnetworkus[.]com

novobanco-app[.]com

nbway-app[.]com

montepio-app[.]com

userspuntos[.]puntoitau[.]com

itau-tarjetacredito[.]southafricanincorporations[.]com

itau-tarjetaiupp[.]calmcbdbv[.]com

appitau-tarjeta[.]puntosarescatar[.]com

useriupp[.]itauweb[.]com

account-nb[.]com

iupp[.]itaupuntos[.]com

www[.]resgatepuntos[.]org

userpuntos[.]puntoitau[.]com

prevencionitau[.]com

itau-iupptarjetadecredito[.]pmpmaster[.]com

puntos-iupp[.]itaupunto[.]com

app[.]sms-itau[.]com

seguridad[.]itau-app1[.]com

app[.]falabella-chile[.]com

novobanconet[.]com

montepio-loguin[.]com

sanrtander[.]com

santanrdersx[.]cf

sartander[.]cf

santarnder[.]run

santanrder[.]digital

santandenr[.]in

santarnder[.]site

sartanderempresa[.]ga

sartander[.]ga

sarntanderempresarial[.]com

sartanderempresarial[.]com

sartanderempresas[.]com

loguin-montepio[.]com

Portuguese Bank Phishing (Portuguese Version)

November 12, 2021/in Blog/by Silent Push Threat Team

Há umas semanas recebi uma mensagem SMS com o seguinte conteúdo:

“Evite o bloqueio da conta: Por favor acesse loguin-novobanco[.]com“

Como em maior parte dos esquemas de phishing, o domínio malicioso tenta personificar o oficial, e neste caso não era excepção. Consegui observar isto a partir da palavra ‘loguin’, do Inglês (login), então decidi investigar um pouco mais.

Executei uma pesquisa de domínios usando a aplicação da Silent Push para ver o que encontrava.

Na altura, o domínio estava hospedado no IP 13.66.4[.]22. A primeira coisa que fiz for investigar domínios no mesmo IP ou na mesma sub-rede. Para isso usei a pesquisa inversa de Ips, mas como nada de interessante apareceu na mesma sub-rede, decidi apenas pesquisar sobre o que conseguia encontrar no mesmo IP.

Isto conduziu a uma série de outros domínios usados para phishing como:

montepio-app[.]com → Imitação de um banco Português, Montepio.

appitau-tarjeta.puntosarescatar.com → Imitação de um banco Brasileiro, Itaú.

E muitos mais. Maior parte dos domínios tinham sido criados há menos de uma semana, logo isto significava que podia seguir o processo criação dos domínios mais detalhadamente e desde o início.

Depois de verificar cada domínio, apercebi-me de um ‘Name Server’ comum entre alguns domínios, kinghostbr.*.orderbox-dns.com. Decidi usar o API e ver se conseguia encontrar mais alguns domínios de phishing, apenas filtrando o Name Server. Assim, encontrei alguns domínios de imitação do Santander, mas já inativos.

Maior parte dos domínios que encontrei não tinham uma pagína da web ativa, e os que tinham apenas redirecionavam para uma página de fotografia..

Indicators of Compromise

loguin-novobanco[.]com

novobanco-loguin[.]com

app-novobanco[.]com

novobanco-cashadvanced[.]bwnetworkus[.]com

novobanco-app[.]com

nbway-app[.]com

montepio-app[.]com

userspuntos[.]puntoitau[.]com

itau-tarjetacredito[.]southafricanincorporations[.]com

itau-tarjetaiupp[.]calmcbdbv[.]com

appitau-tarjeta[.]puntosarescatar[.]com

useriupp[.]itauweb[.]com

account-nb[.]com

iupp[.]itaupuntos[.]com

www[.]resgatepuntos[.]org

userpuntos[.]puntoitau[.]com

prevencionitau[.]com

itau-iupptarjetadecredito[.]pmpmaster[.]com

puntos-iupp[.]itaupunto[.]com

app[.]sms-itau[.]com

seguridad[.]itau-app1[.]com

app[.]falabella-chile[.]com

novobanconet[.]com

montepio-loguin[.]com

sanrtander[.]com

santanrdersx[.]cf

sartander[.]cf

santarnder[.]run

santanrder[.]digital

santandenr[.]in

santarnder[.]site

sartanderempresa[.]ga

sartander[.]ga

sarntanderempresarial[.]com

sartanderempresarial[.]com

sartanderempresas[.]com

loguin-montepio[.]com

Evaluating the Value of Security Intelligence Feeds with Silent Push

September 29, 2021/in Blog/by Silent Push

The value of cyber security threat intelligence feeds can’t be overstated. However, like all security measures, not all cyber threat intelligence feeds are created equal. So what are some of the differences between a good and a great security feed?

There are of course a variety of factors that play into the value of any particular security feed. Some common considerations are relevancy and usability.

Unmeasurable Factors in Cyber Threat Intelligence Feeds

Generally speaking, a security feed that provides highly relevant data is providing data that is closely related to the target business or organization. Nowadays, many threats are targeted at specific businesses, which makes relevancy a critical factor in evaluating feeds.

Usability refers to how likely it is that information supplied by the security feed can lead to decisions that improve security. One of the end goals of a security feed is to allow for decisions that improve security policy making. If feed items only contain domains, IPs or hashes without any reasoning or clues as to why they are there, then they are not so useful. Each item needs to come with clues as to why it is suspicious and some information about how the feed is compiled in the first place so you know what you are looking at. Most importantly, this context will help you know how to use the information.

These factors are rare enough. One of the problems is, any given company may pay for a large number of security feeds. These feeds are quite expensive and may supply data that is repetitive. In the worst cases, one feed may simply be copying another. However, security feed analysts at the company may never know.

Expanding upon that, it’s also helpful to know which feeds are the first to share any potentially useful information. If an analyst had five security feeds that all detected the same potential risk, they’d want to know which detected it first and which last. In this way, the analyst can identify which feeds are the most valuable and which could be cut.

Evaluating Cyber Threat Intelligence Feeds with Silent Push

Silent Push provides two unique metrics to address the above issues to identify the best cyber threat intelligence feeds.

One of these metrics is called overlapping percentage. This refers to the proportion of indicators (IoCs) on that feed that are also seen on other feeds. Of course, a feed that provides unique data, data that isn’t seen on other feeds, can provide valuable insights.

Another percentage-based metric is originality percentage. Originality percentage means the proportion of indicators on any particular feed which were first shared by that feed. A feed that provides a large amount of original intelligence is a valuable asset to a business or organization.

To determine the value of a CTI feed against another, or many others, these two metrics are quite useful. Relevancy and usability are more closely connected to the information within a singular feed. But if a company is paying for many feeds, it’s possible that all of them can score high on relevancy and usability.

By employing these two additional metrics, unique to Silent Push, companies can save money and time by easily determining which feeds are the most valuable.

Value can translate into more than just spending less on repetitious security feeds. By identifying which feeds supply the best information the fastest, it may also be possible to react to targeted threats before they cause any damage. The concept of proactive threat detection, rather than reactive, is core to the Silent Push mission.

There’s an interesting paper here on ways on how some academics evaluated security intelligence feeds and some of their results.

Silent Push PADNS lookup screen with cyber background

How to rank ASN data in Silent Push

September 15, 2021/in Blog/by Silent Push

An autonomous system (AS) is a collection of IP subnets that is managed by a single administrative entity. Think of an ISP or a hosting provider, but also a large corporation or a university, many of which manage one or more autonomous systems. Each AS is assigned a unique number, called an ASN; in practice the terms AS and ASN are often used interchangeably.

ASNs play a crucial role in routing and thus in making the Internet work. However, because each of them is managed by a single entity, it also makes sense to assign a reputation to them, based on the amount of malicious activity hosted on the AS.

Silent Push assigns a reputation to each ASN, that takes into account both the number of active IP addresses within the AS and the number of these that are currently being used for malicious activities.

The reputation of an ASN reflects the current state rather than a historical reputation, so that ASNs that shut down malicious activity will see their reputation drop immediately. Historic reputation data is available through the API.

The Silent Push platform’s threat score reaches from 0 (best reputation) to 100 (worst reputation). The following are the ASNs with the worst reputation ranked by the number of IP addresses currently listed.

However, all of ASNs are all quite small, with each containing 2048 or fewer IP addresses. They host a relatively large amount of malicious activity, but in absolute terms, their contribution to ‘bad things on the Internet’ is pretty small.

Look at the ASNs below that contain at least 100,000 IP addresses (active or not):

Now, a number of well-known companies appear in the list, including Tencent, Digital Ocean, Alibaba and Google.

Each of these cloud providers make it easy for someone to quickly and anonymously set up a virtual server. That has many advantages for researchers and developers but also attracts those hosting malicious infrastructure, such as malware authors or those providing services to them.

It is not recommended to block something just because it is hosted by any of these providers. But something unknown hosted there definitely deserves some extra scrutiny.

Takedown reputation

In fairness, it is unreasonable to expect a hosting provider or other network to be able to proactively block all malicious activity on its network. After all, it’s not like a malicious actor is open about their intentions when renting a server or purchasing a domain.

This is why at Silent Push, one can assign a ‘takedown reputation’ to each ASN, that assigns a score from 0 (best reputation) to 100 (worst reputation). This measures how well an ASN takes down malicious activity hosted on its network.

If we add the takedown reputations to the previous table, we note they are all low, but in some cases not 0. This leaves some room for improvement for these ASNs when it comes to their due diligence in keeping the Internet free of malware and scams.

Finally, look at the ASNs with the worst takedown reputation. These are all pretty small, containing 4096 IP addresses or fewer, and have a takedown reputation higher than 90:

Conclusion

Simply ranking ASNs or hosting providers by the number of IP addresses that are hosting or have hosted malicious content ignores both their actual size and their responsiveness when it comes to takedown requests. By including both, Silent Push provides you with a clearer picture of what ASNs to consider somewhat suspicious, which combined with other context can help during an investigation.

screenshot of Brave Browser download webpage

Using the Silent Push App and API to Find Punycode Domains

July 29, 2021/in Blog/by Josue

Yesterday, a security engineer for the privacy-focused Brave web browser, tweeted about a domain impersonating Brave that was promoted through Google ads.

The domain was bravė[.]com.

Note the accent on the e, which distinguishes it from brave[.]com, the domain it was impersonating.

This is an example of an Internationalized Domain Name (IDN), a domain name that includes non-ASCII characters. Such domains have an ASCII representation that starts with xn-- and use punycode to convert from ASCII to unicode and vice versa. The ASCII representation of the impersonating domain is xn--brav-yva[.]com.

When IDNs are used to impersonate existing domains, one speaks of a homograph or homoglyph attack. Other than the use of accents on Latin characters, this also includes using similar-looking characters from non-Latin alphabets, such as using the Greek α instead of the Latin a. Though not incredibly common in practice, such attacks do exist and security researchers have warned about them for more than a decade.

The bravė[.]com or xn--brav-yva[.]com domain was registered through NameCheap in June and is hosted at 185.198.166.104, which belongs to ITLDC, a Bulgarian cloud provider with servers in a number of countries.

Using the Silent Push app, the user can see what else is hosted there:

Searching for domain names in Silent Push

Three more domain names were found, all IDNs: xn--ldgr-xvaj[.]com, xn--sgnal-m3a[.]com and xn--teleram-ncb[.]com. The unicode representations of these domains are lędgėr[.]com, sīgnal[.]com and teleģram[.]com respectively, presumably impersonating cryptocurrency wallet maker Ledger and messaging apps Signal and Telegram. (I say ‘presumably’ because signal[.]com and telegram[.]com aren’t actually linked to the respective messaging apps.)

These other three domains were also registered at NameCheap. Using the Silent Push passive DNS, it was found that none of the domains had been seen at another IP address, so the user cannot pivot any further.

However, could this actor have hosted other domains at a different server? Assuming they’d also use the same registrar and hosting provider, a search query was ran in the Silent Push API for domains starting with xn-- using NameCheap’s name servers and hosted on ITLDC’s ASN (AS21100).

Nine further domains were found. Two of them (xn--80aaw7ah[.]com and xn--80ahcmbumt[.]org) represent words in the Cyrillic alphabet and there is no reason to assume they are used for anything malicious.

The other seven, however, were all hosted on the same IP address (195.245.113.25) and all impersonate legitimate products, including once again Brave and Telegram:

The fake installer on bravė.com that prompted this research was an ISO file that appears to contain a version of the Redline infostealer. That suggests it may be related to a campaign analysed by Morphisec last month, where Redline was also served packed inside an ISO through malicious Google ads, impersonating Telegram and other services. The domain names involved in that campaign were also registered through NameCheap.

As for IDNs, there are tools that help one find homograph attacks on an existing domain name. However, it is through a comprehensive and easily searchable passive DNS database that one can find a bigger picture of the campaign using a homograph attack.

Indicators:

xn--brav-eva.com

xn--brav-yva.com

xn--flghtsimulator-mdc.com

xn--ldgr-xvaj.com

xn--screncast-ehb.com

xn--sgnal-m3a.com

xn--teleram-ncb.com

xn--tlegram-w7a.com

xn--torbrwser-zxb.com

xn--tradingvew-8sb.com

xn--xodus-hza.com

185.198.166.104

195.245.113.25

Man in glasses thinking about cyber defense

Attacks Are Tailored to You. Your Intelligence Should Be Too

July 16, 2021/in Blog/by Silent Push

2021 may well be called, “the year of the targeted attack.” Over and over, threat actors have carried out carefully crafted operations using infrastructure tailored to specific victim organizations.

On the other side of the table, large organizations rely on security tools that, at best, attempt to block the indicators they observed hitting other organizations previously. These IOCs don’t necessarily relate to the defending organization, meaning blue teams regularly miss the actors crafting domains and infrastructure to get beyond their particular defenses.

It is too easy for the organized crime or espionage group to develop new, bespoke assets to attack an organization safe in the knowledge of how to evade traditional security products and services. Silent Push regularly sees assets set up with such specific evasion techniques in mind.

Silent Push often sees domains registered and then aged for a period of time before malicious use to avoid aged based reputation scores. There are often domains imitating supply chain partners of various types to avoid security practitioners and potential victims becoming suspicious when seeing them in logs. Rotating name servers and customized name servers are often used in order to communicate with specialized malware while avoiding fingerprinting rules and behavior-based detection techniques. At the same time, there are very few innovations from security vendors to react to these new techniques.

It is time for the security industry and those defending teams to fight back. Silent Push wants to equip enterprises with the freedom to protect themselves.

Everybody needs their own customized threat intelligence. If an organization can’t meaningfully search for the attacks that are being tailored to them, what chance do they have?

Silent Push is exposing the analytics to help organizations track and trace the very attacker infrastructure being designed just for them. This allows threat intelligence teams to shine a light on this infrastructure as it is going live so they have a chance to proactively defend their organizations instead of hoping to discover the infrastructure after it has hit someone else.

What can be done?

Enterprises have been expected to accept ‘black box’ thinking from their security vendors for years: ‘You don’t need to know the details of how we detect things, just pay us the money and trust that we are defending you.’ That clearly hasn’t worked.

Now, Silent Push is exposing the underlying connections and patterns to enable enterprises to create their own intelligence feeds, focused on what they need to defend against.

If 5 threat groups use the same malicious infrastructure provider, then the enterprise needs to defend against that infrastructure provider. If numerous advanced threat groups use the same technique of managing and aging domains over time, then the enterprise needs to be able to identify domains currently managed with that technique going live. If a virtual Bullet Proof Hosting Provider is the commonality across numerous campaigns by different groups then a defending enterprise must be able to identify the fingerprint of that provider to defend against it.

These are the things Silent Push can allow the enterprise to do, with the aim to empower enterprise Threat Intelligence teams with the right tools to generate their own new intelligence, and to fuse their current intelligence with new insights that help contextualize and prioritize what matters today.