Finding Nemo(hosts)

Spread the love

How to identify potential malicious infrastructure using ThreatConnect, DomainTools, and more

All that is bad is not known

Individual indicators are often highly perishable, but understanding the patterns adversaries use to stand up infrastructure can give us a leg up by illuminating suspicious domains potentially prior to an attack. But where to start? How to avoid getting lost in an ocean of data? Here, we’ll focus on FANCY BEAR / APT28 / Sofacy as an example. Using the research methods captured in the diagram below, we identified dozens of recently registered domains and IPs that have varying levels of association to the Russian APT. We also discovered three name servers that FANCY BEAR actors most likely used for their domains — a tactic that defenders can exploit to proactively identify new domains that may be associated with FANCY BEAR activity.

fancy-bear

 

Getting Started: Using Investigation Links

In reviewing domains with registration consistencies to previously identified FANCY BEAR domains, we identified the domain unisecproper[.]org and included it in our ThreatConnect Intelligence source. This domain was registered using the email address le0nard0@mail[.]com, is hosted on a dedicated server at the IP 92.114.92.134, and uses a name server that has previously been associated with FANCY BEAR activity. These consistencies are suspicious, but don’t definitively indicate this domain is in use by FANCY BEAR. So we decided to dig into it a bit more.

Below is our entry for the unisecproper[.]org domain. We used ThreatConnect’s investigation links to identify other openly available information on this domain and the IP that hosts it. These links quickly query external tools and resources such as Hurricane Electric, Robtex, and Google, for the given indicator to identify other intelligence related to it.

 

 

ThreatConnect entry for unisecproper[.]org.

 

In reviewing Censys for the 92.114.92.134 IP address, we identify that a web server on that IP currently uses the SSL certificate f27c4270b9b9291f465ba5962c36ce38f438377acff300b5c82b3b145f0c9e94

censys-ip-address

Additional detail on SSL certificate used on the 92.114.92.134 IP address.

 

Reviewing this hash in Censys identifies the SHA1 as a1833c32d5f61d6ef9d1bb0133585112069d770e. Cybersecurity researchers — including Thomas Rid and Mark Parsons — have identified that this SSL certificate has been associated with FANCY BEAR activity, including operations targeting the DNC and German Parliament. This indicates that the unisecproper[.]org domain, which is the only one hosted at this IP, most likely is associated with FANCY BEAR activity.

 

ssl-certificate-fancy-bear

Additional detail on SSL certificate used on the 92.114.92.134 IP address.

Exploiting Certificate Usage

The previous link shows some cool investigative work that Mark Parsons has done by focusing on this SSL certificate. Similarly, we investigated this SSL certificate to identify other recent IPs and domains that can be associated with FANCY BEAR. Using Censys, we identified about eleven IP addresses that hosted web servers using the same certificate. Please note, during the course of this research this list of IPs changed, so it’s important to monitor changes to those IPs with web servers using this certificate.

exploit-certificate-ssl

Additional information from Censys showing other IPs where the SSL certificate is used.

 

We imported these IPs into ThreatConnect and then reviewed their hosting information using our Farsight DNSDB integration. From here we were able to identify the domains that were recently hosted on these IP addresses and therefore most likely are associated with FANCY BEAR activity.

passive-DNS-threatconnect-sofacy

ThreatConnect’s Farsight DNSDB integration entry for 179.43.128.218 IP address.

 

Ultimately, using passive DNS to investigate all the the IPs from Censys, we identified the following domains that were hosted at those IP addresses:

 

Domain IP Address Registrant Email
unisecproper[.]org 208.91.197.91 le0nard0@mail[.]com
wmiapp[.]com 179.43.128.218 Private
networkxc[.]net 185.183.107.38 bertfuhrmann@gmx[.]de
ndsee[.]org 185.86.150.26 manuel.herez@centrum[.]cz
neoderb[.]com 188.40.155.241 Private
remnet[.]org 188.40.155.241 cameron_gordon@centrum[.]cz
remotemanagesvc[.]net 188.40.155.241 Private
netcorpscanprotect[.]com 94.177.12.157 ernesto.rivero@mail[.]com
zpfgr[.]com 94.177.12.74 olavi_nieminen@suomi24[.]fi
connectsmd[.]net 86.107.42.11 Private
ckgob[.]com 88.99.21.169 luc_ma@iname[.]com

Several of these domains have been identified in previous research into FANCY BEAR or in network callouts in files attributed to them. These indicators identified here have been shared in incident 20170629A: Fancy Bear SSL Certificate Research.

Just Keep Digging

This was a great start. Up to now we’ve discovered at least a dozen domains and IPs that we can assess that are most likely associated with FANCY BEAR activity. But we kept digging. Once we knew the infrastructure that is most likely theirs, we sought to identify how they got this infrastructure hoping that we could identify other infrastructure with similar registration and hosting consistencies.

Nemohosts.com Name Server

We reviewed historical WHOIS information for these domains using our DomainTools Spaces App. In doing so, some interesting consistencies started standing out in a couple of the domains. As shown below, the domains neoderb[.]com, wmiapp[.]com, and connectsmd[.]net, all initially used a nemohosts[.]com name server when they were first registered suggesting that these domains were registered through the Nemohosts reseller. A review of WHOIS history indicates that only about 160 domains have used nemohosts[.]com name servers, suggesting that it is a relatively small service. Shortly after they were registered, the three domains switched to using a topdns.com name server.   

 

ThreatConnect’s DomainTools Spaces App entries for domains hosted at previously identified IPs.

 

Checking out the WHOIS and hosting information for the IPs that house these domains, we identified that they are hosted on dedicated servers. Even though they are only consistent for three of the domains that we initially identified, these attributes gave us something we can use to identify other domains that have been registered and hosted in the same manner.

Using some capabilities from our friends at DomainTools, we can exploit these consistencies to identify other domains that FANCY BEAR may have also registered. We would typically use their Reverse NS capability to identify domains that were using specific name servers; however, in this case we needed to identify domains that previously used a specific name server. To that end, we used a Reverse WHOIS search to identify historical domains that used the ns1.nemohosts[.]com name server like those domains we identified above.

domain-tools-reverse-whois-results

DomainTools Reverse WHOIS historical results for ns1.nemohosts[.]com query.

 

We then fed the domains from the Reverse WHOIS search into the Bulk Parsed WHOIS capability to identify current registration information for all of those domains, to include the name server currently used. From here, we identified those domains that are currently using a topdns.com name server.

bulk-parsed-whois-nemohosts

DomainTools Bulk Parsed WHOIS search for identified domains using nemohosts[.]com name server.

 

Finally, reviewing the WHOIS records for the subset of domains that currently use a topdns[.]com name server and previously used a nemohosts[.]com, we identified those domains that were also hosted on dedicated servers.

domain-tools-whois-record-neoderb

DomainTools WHOIS record for neoderb[.]com showing use of a dedicated server.

 

This led us to the following domains:

Domain IP Address
neoderb[.]com 188.40.155.241
wmiapp[.]com 179.43.128.218
connectsmd[.]net 86.107.42.11
dmsclock[.]org 89.187.151.16
systemfromcuriousmoment[.]com 185.86.150.188
driverfordell[.]com 5.255.80.50
hostsvcnet[.]com 185.94.190.199
intelstatistics[.]com 5.135.199.10
knightconsults[.]com 174.128.253.215
lopback[.]com 185.86.150.151
nethostnet[.]com 86.105.1.12
perfect-remote-service[.]com 188.241.68.175
probenet[.]eu 86.105.1.114
remonitor[.]net 185.94.192.101
societyatcuriousteacher[.]com 185.86.150.188
spelns[.]com 89.44.103.18
unitedprosoftcompany[.]org 95.153.31.197

 

It is important to note that consistencies in registration and hosting tactics do not definitively associate many of these suspicious domains with previous malicious, FANCY BEAR activity. Furthermore, we cannot immediately confirm that the domains listed above are hosting malware or are otherwise attributable to malicious APT activity; however, they deserved additional scrutiny due to the patterns identified above, and the fact that they were registered using a smaller service like Nemohosts. These domains have been shared in incident 20170620A: Nemohosts.com Name Server Suspicious Domains.

Bacloud.com Name Server

The nemohosts[.]com name server usage wasn’t the only registration and hosting tactic that stuck out from the domains that we identified through SSL certificate research. Three other domains — ndsee[.]org, zpfgr[.]com, and networkxc[.]net — all used similarly obscure name servers dns1.bacloud[.]com and dns1.laisvas[.]lt, which likely belong to the same organization operating out of Lithuania. Like previous name servers that FANCY BEAR has used, this service is also relatively small as only about 1060 domains historically have used these name servers.

 

TCS-domain-tools-server

ThreatConnect DomainTools Spaces App showing name servers used by ndsee[.]org and zpfgr[.]com

 

Both ndsee[.]org and zpfgr[.]com were also hosted at dedicated servers, so again we have a set of registration and hosting tactics for FANCY BEAR infrastructure that we can exploit. To do so, we used DomainTool’s Iris. We searched for any domains that currently use the bacloud[.]com or laisvas[.]lt name servers and were registered after July 1, 2016.

iris-search-domain-tools

DomainTools Iris search for bacloud[.]com name servers and (below) the share hash for those interested in running the same query in Iris.

 

Iris Share Hash:
U2FsdGVkX19hV+UVb5W8HCtbI+LvP4vxC61DvbwsRKRZocCzz8pPcUmxrcEBOoI2K0WQ
trbqIJvccSjU1y94XVji4c4R2qRkmPQeJIAAWjDotQReq1af+Q/12zZ5F9xsqrOTo8O0JAMHU3BxGy65Jmu5f
KWePq9N1dNS7Slx+EBUF2Gdu3HeHrI64DeOrGHMRo9h6LFBKmrBnJr6Y1SUs4A9gnrnbJ0d7u/PbyfCAE
Ww8JE7p9T+ex3ZpSh2H68JD5IUdPF4SvB1kIPUEGDNwhK217QzhnC+5Ti+r5JofZen0TpnIFJZrWyKKSjl4
bWtoyeCNvu+IcgM4eVFLJedB8ygfLthTm51ed3j2TIOP1lzQ67skxfh5A4UQIA0B0WGcb9lvK6htepYuDIT1BH
XJ2gDOUGPSqbKq9YLYN8iVa46Jcz+PCUnS/Woj6FA14hodWSLZMEdrL6N0iaDpLzlsT7dD4pL8AavwzMZt
VN28UcCpOmi1CZumLhT7QPcyTidHpAVRfZXb4I8ni0s1TbV48fzNOxlChz8/F4jArxr17b+itDY3V/0vWrm7A
iBpWkoMiV28NHmwFUQJ2TXTLo2yrV69U7pxEZ4iFZ/1fF9G7uOgFR2vg41/DTzJBXHeCspW3uEvCjVEz7C
oelRF+D8A==

 

 

This gave us about 260 domains. We then used Iris’ Stats page to identify those IPs that only showed up once within the identified domains, and then evaluated those results to identify those domains that are hosted on a dedicated server.

domain-tools-iris-stats-page

DomainTools Iris Stats page for previous results.

 

Similarly, we could’ve downloaded a CSV file of these domains from Iris, done some counting and sorting, and reviewed the domains that are hosted on IPs that only show up once or twice within the CSV. These are the domains that have the best chance of being hosted on a dedicated server. We then could review the WHOIS Record for these domains in DomainTools to identify those domains that are in fact hosted on dedicated servers. This results in the below list:

 

Domain IP Address
ndsee[.]org 185.86.150.26
zpfgr[.]com 94.177.12.74
90update[.]com 213.252.244.105
aljazeera-news[.]com 213.252.244.114
ambcomission[.]com 185.25.51.38
cryptokind[.]com 213.252.246.24
deshcoin[.]com 185.25.48.249
dochardproofing[.]com 185.25.51.173
ebramka[.]info 185.25.50.156
fes-auth[.]com 91.108.68.209
hello76[.]com 185.64.105.7
hostedopenfiles[.]net 185.25.50.93
kiteim[.]org 5.255.80.68
kremotevn[.]net 86.105.1.128
lasarenas[.]lt 91.216.163.204
lopback[.]com 185.86.150.151
megauploadfiles[.]org 5.135.199.24
nemaskalitnium[.]com 173.44.58.240
networkfilehosting[.]com 213.252.247.167
news-almasirah[.]net 213.252.244.115
newsfromsource[.]com 91.216.163.224
platnosci[.]biz 213.252.247.121
postmarksmtp[.]com 185.25.51.120
remsvc[.]net 91.108.68.180
rhfcoin[.]com 91.216.163.229
sa7efa[.]com 91.216.163.237
searchbrain[.]net 91.216.163.203
serbview[.]com 5.255.93.224
startthedownload[.]com 213.252.247.168
showitem[.]lt 213.252.247.159
uploadsforyou[.]com 185.25.50.144
wintwinbtc[.]com 185.25.48.27

 

As we previously highlighted, many of the suspicious domains above are not immediately attributable to any malicious activity; however, their nature and use of these name servers suggest that any network traffic to them merits additional review. These domains have been shared in incident 20170629E: Bacloud.com Name Server Research. Networkxc[.]net was hosted on a small server with only two other domains hosted at the same IP. A future iteration of this analysis should evaluate those domains bacloud[.]com domains that are also hosted on small, but non-dedicated servers.

Waiting for Known Bad is Waiting to be Had

It’s important to caveat our confidence in these indicators’ association to FANCY BEAR activity. For many of those indicators that we’ve included here, we don’t know whether they have actually been used maliciously. But if known bad is all that you are worried about or interested in, then you’ll always be at least one step behind the attacker. Only by leveraging intelligence to identify and exploit our adversaries’ tactics can we move from a reactive, whack-a-mole state to a proactive, informed defense.

Further, appropriate and effective intelligence analysis in the cyber realm has to accommodate and convey shades of gray. ThreatConnect, in addition to operating as a centralized research platform, does just that as context and attributes for indicators, incidents, campaigns, and threats can be appropriately captured and memorialized. This intelligence (note that we didn’t say indicators) can then be shared with the individuals, organizations, or communities that you need to inform to help initiate defensive action. Accordingly, our ThreatConnect Intelligence  source, (available for purchase in all our products) provides not only the indicators that we identify, but context on how we identified them, what threats they are associated with, threat and confidence ratings, and the extent to which, if any, those indicators are known to have been operationalized. 

In this case, we didn’t wait for knowledge of a FANCY BEAR operation to be made public. Rather, we leveraged a variety of cyber intelligence sources, tools, and capabilities to exploit their tactics and identify dozens of indicators with possible ties to FANCY BEAR. We encourage readers to do the same for their threats to not only fight them where they are, but where they will be. To maximize the impact of cyber threat intelligence at your organization, just keep digging, digging, digging.

 

Interested in Conducting Some of Your Own Threat Research? Sign Up For A Free Account Today and Get Started

The post Finding Nemo(hosts) appeared first on ThreatConnect | Enterprise Threat Intelligence Platform.

Click here for reuse options!
Copyright 2017 NETWORKFIGHTS.COM