close
Gartner Report:
Innovation Insight for
Security Orchestration,
Automation and Response DOWNLOAD NOW

What's in a Name Server?

What's in a Name... Server?

That which we call an APT. By any other name would smell as foul.

Read the full series of ThreatConnect posts following the DNC Breach: "Rebooting Watergate: Tapping into the Democratic National Committee", "Shiny Object? Guccifer 2.0 and the DNC Breach", "What's in a Name Server?", "Guccifer 2.0: the Man, the Myth, the Legend?", "Guccifer 2.0: All Roads Lead to Russia", "FANCY BEAR Has an (IT) Itch that They Can't Scratch", "Does a BEAR Leak in the Woods?", "Russian Cyber Operations on Steroids", and "Can a BEAR Fit Down a Rabbit Hole?".

Following the lead from CrowdStrike, ThreatConnect expanded on the DNC Breach research looking at the name server hosting information for the misdepatrment[.]com spoofed domain.

Internet Contact Books

Name servers are the contact books of the Internet. A cell phone's contact book gives someone the opportunity to forget their mom's phone number because it automatically associates her name with her ten digit phone number. This way, after her information is in the contact book, they only have to remember her name to call her. Name servers provide a similar function - they translate domain names into difficult-to-remember IP addresses so we only have to remember the domain name. Note: the purpose of this post is not to be a DNS primer - you can learn more about DNS and how it works in this article.

Hosting services usually have their own name servers that they use for any websites that are registered through them. Also, hosting services generally use multiple name servers for their accounts to provide continuity in case one of their name servers goes down. For example, if five domains are registered through GoDaddy, all five of those domains by default will use GoDaddy name servers like NS1.GODADDY[.]COM and NS2.GODADDY[.]COM. Individuals can also choose to configure or transfer their domains so that they use other service providers' name servers if they choose.

So What and Why You Care:

Hundreds of thousands of domains might use a single name server, but in some cases, especially for smaller hosting services, a name server may only be used for a couple of hundred domains. This can prove to be useful information as threats of all shapes and sizes - including advanced persistent threats (APTs) - will sometimes use boutique or smaller hosting services to register the domains that are used as malicious infrastructure in support of their operations. This name server information is contained in the WHOIS record for a domain and can potentially be used to identify other malicious domains that organizations may encounter related to a specific incident.

Name Servers, Bitcoins, and Bears. Oh My!

Following the lead from our friends at CrowdStrike, we expanded on the research we did into FANCY BEAR's efforts against the DNC, where we took a look at the name server hosting information for the misdepatrment[.]com spoofed domain. Leveraging DomainTool's capabilities, we were able to identify that this domain was registered through the domains4bitcoins[.]com hosting service that allows customers to buy domain names with Bitcoins.

Domains4Bitcoins dnc breach

A hosting service like this is attractive to malicious actors that want to minimize the amount of attributable information that they are required to supply when purchasing domains. This service mitigates the need to supply credit cards and legitimate billing names and addresses, as the customer can simply pay from their Bitcoin wallet and use fictitious names and addresses that ultimately obfuscate their true ownership.

Some of the domains registered through this service, including misdepatrment[.]com, use multiple *.bitcoin-dns[.]hosting name servers. Using DomainTools' Reverse NS lookup, we were able to identify about 1600 domains that also used the same name servers as misdepatrment[.]com. This set contains a wealth of domains that were previously identified as malicious, spoof or typosquat legitimate companies or organizations, or are otherwise suspicious.

Associations to Previous Activity

Leveraging ThreatConnect's Analyze function, we were able to quickly identify the below domains that use domains4bitcoins[.]com's name servers had been attributed to FANCY BEAR (aka APT28 and SOFACY) activity:

Threatconnect Analyze Indicators dncbreach

Analyze results for domains using the bitcoin-dns[.]hosting name server. Specific attributes below.

Domain Attributes
militaryobserver[.]net FANCY BEAR related domains. From a PWC Threat Intelligence Bulletin.
sysprofsvc[.]com Likely malicious FANCY BEAR C2 domain that overlaps with the domain winsyscheck[.]com at IP 69.90.132[.]194.
euronews24[.]info Likely FANCY BEAR domain registered by leila77@cock[.]li
naoasch[.]com FANCY BEAR callback found in DLL MD5: 2045EFB4DA99B3AF154814888BE43390

The presence of multiple domains attributed to an APT group on this relatively small Bitcoin name server underscores the fact that using such services is likely a common tactic for malicious actors who want avoid attribution and hosting services that mitigate abusive activity. Paying in bitcoins also lessens any hassles an APT might experience in trying to register domains using foreign currency.

Criminal actors leveraging recent ransomware variants, including Locky and SamSam, request ransom payments in Bitcoins from their victims. The malicious actors can then use these Bitcoin hosting services to easily procure additional anonymous infrastructure using their ransom money. Several of the domains registered through domains4bitcoins[.]com spoof Bitcoin-related websites. For example, blockichain[.]info spoofs the Bitcoin wallet site blockchain[.]info, which has previously been spoofed in multiple phishing efforts. One possibility is that the individuals behind these operations may be using stolen Bitcoins to "feed the beast" and use stolen digital currency to procure digital infrastructure in support of future operations.

Additional Shadiness

We further reviewed the domains using domains4bitcoins[.]com's name servers and are sharing over 400 of them in 20160616B: Suspicious Domains on Bitcoin DNS NameserversSome of the more notable domains mirror government organizations, media outlets, and technology companies or tools. Many of these organizations are ubiquitous and domains spoofing them could be used against a variety of targets:

Domain Possible Spoofed
 Organization
Create/Update
 Date
Expiration
 Date
SOA Email Registrant Email
adobeflashdownload[.]de Adobe 11/16/15 N/A j.wang@uymail.com N/A
adobeflashplayer[.]me Adobe 2/18/16 2/18/17 play@xtcmail.com contact@privacyprotect.org
adobeflashplayer[.]space Adobe 2/18/16 2/18/17 play@xtcmail.com contact@privacyprotect.org
adobeupdater[.]org Adobe 8/10/15 8/10/16 vrickson@mail.com vrickson@mail.com
adobeupdatetechnology[.]com Adobe 5/30/16 5/30/17 best.cameron@mail.com best.cameron@mail.com
adoble[.]net Adobe 4/22/16 4/22/21 surleoborden@gmail.com contact@privacyprotect.org
flashplayer2015[.]xyz Adobe 12/17/15 12/17/16 N/A josiekilbyav@aol.com
newflashplayer2015[.]xyz Adobe 12/18/15 12/18/16 N/A josiekilbyav@aol.com
pdf-online-viewer[.]com Adobe 12/11/15 12/11/16 weronika76@hotmail.com weronika76@hotmail.com
yourflashplayer[.]xyz Adobe 12/19/15 12/19/16 josiekilbyav@aol.com josiekilbyav@aol.com
akamaitechnologysupport[.]com Akamai 5/27/16 5/27/17 bergers3008@usa.com bergers3008@usa.com
akamaitechupdate[.]com Akamai 6/21/16 6/21/17 guiromolly@mail.com guiromolly@mail.com
helper-akamai[.]com Akamai 5/25/16 5/25/17 N/A 8yhi4xqycpzm@mail.ru
cdncloudflare[.]com Cloudflare 1/16/16 1/16/19 loots@tuta.io loots@tuta.io
cloudfiare[.]com Cloudflare 11/3/15 11/3/16 mia.konzet99@ok.de mia.konzet99@ok.de
egypressoffice[.]com Egy Press 9/7/15 9/7/16 dana.raphaela@chewiemail.com dana.raphaela@chewiemail.com
access-google[.]com Google 6/22/15 6/22/16 abuse@opticaljungle.com v9sa2cml@instancemail.net
cdn-google[.]com Google 5/2/16 5/2/17 issacgolden@hmamail.com contact@privacyprotect.org
marshmallow-google[.]com Google 5/19/16 5/19/17 gregorio.oconnor@hmamail.com contact@privacyprotect.org
terms-google[.]com Google 12/22/15 12/22/16 artur.klimenkov@gmail.com artur.klimenkov@gmail.com
honeyvvell[.]co Honeywell 2/17/16 2/16/17 pinfiangtw@gmail.com pinfiangtw@gmail.com
thehufflngtonpost[.]com Huffington Post 11/10/15 11/10/16 mattew.barnes@aol.com contact@privacyprotect.org
intelintelligence[.]org Intel 2/11/16 2/11/17 petkrist@myself.com petkrist@myself.com
intelsupportcenter[.]com Intel 2/17/16 2/17/17 fisterboks@email.com fisterboks@email.com
intelsupportcenter[.]net Intel 2/17/16 2/17/17 fisterboks@email.com fisterboks@email.com
micoft[.]com Microsoft 8/8/15 8/8/16 syst.soul@mail.com syst.soul@mail.com
microsoft-updates[.]me Microsoft 10/7/15 10/7/17 m8r-abrn11@mailinator.com contacts@up57893.in
ms-drivadptrwin[.]com Microsoft 2/24/16 2/24/17 mr.michoverton@mail.com mr.michoverton@mail.com
ms-sus6[.]com Microsoft 4/14/16 4/14/17 ken.tanaka@mail.com contact@privacyprotect.org
ms-updates[.]com Microsoft 12/17/15 12/17/16 sandra.rafaela@chewiemail.com sandra.rafaela@chewiemail.com
securesystemwin[.]com Microsoft 5/22/15 5/22/17 bkopfer7101@mail.com contact@privacyprotect.org
win-wnigarden[.]com Microsoft 11/25/15 11/25/16 pinfiangtw@gmail.com pinfiangtw@gmail.com
wincodec[.]com Microsoft 12/14/15 12/14/16 elfreda.pollie@chewiemail.com elfreda.pollie@chewiemail.com
windowsnewupdated[.]com Microsoft 7/2/15 7/2/16 ruzeedomeon@gmail.com contact@privacyprotect.org
winliveupdate[.]top Microsoft 2/24/16 2/24/17 agnasirahmedd@gmail.com agnasirahmedd@gmail.com
winninggroup-sg[.]com Microsoft 4/21/16 4/21/17 s.penn.254@gmail.com s.penn.254@gmail.com
wm-z[.]biz Microsoft 2/20/10 2/19/17 j.holmberg@dr.com admin@wm-z.biz
wmepadtech[.]com Microsoft 7/22/15 7/22/16 shawanda.kirlin37@mail.com shawanda.kirlin37@mail.com
nato-org[.]com NATO 2/18/16 2/18/17 barry.smith2004@yandex.com barry.smith2004@yandex.com
natoadviser[.]com NATO 5/24/16 5/24/17 leo.link@email.com leo.link@email.com
sec-verified[.]com SEC 8/3/15 8/3/16 cjgr8hm@gmail.com cjgr8hm@gmail.com
theguardiannews[.]org The Guardian 12/10/15 12/10/16 idolbreaker@mail.com idolbreaker@mail.com
theguardianpress[.]com The Guardian 12/9/15 12/9/16 paulbecker@cock.li paulbecker@cock.li
services-gov[.]co[.]uk UK Govt 1/17/16 1/17/17 saira.samosa@gmail.com N/A
goaarmy[.]org US Army 8/16/05 8/16/16 owen@kehoe.org owen@kehoe.org
govsh[.]net US Govt 8/5/15 8/5/16 noshare1024@gmail.com contact@privacyprotect.org
wsjworld[.]com WSJ 3/16/16 3/16/17
mishel_corp@mail.com mishel_corp@mail.com

Some notable patterns stick out from the above list with respect to previously-attributed activity. Theguardianpress[.]com domain was registered using the same email domain, cock[.]li, as the naoasch[.]com and euronews24[.]info domains that were previously attributed to FANCY BEAR activity. This domain was also registered in the same timeframe as another domain, theguardiannews[.]org, which also spoofs The Guardian. Leveraging the Reverse DNS capability within the ThreatConnect platform, we are also able to quickly identify that four of the domains--adoble[.]net, wincodec[.]com, theguardiannews[.]org, and theguardianpress[.]com--previously resolved to the 5.135.183[.]154 IP address. These domains are now hosted elsewhere, with The Guardian-spoofing domains being hosted on dedicated servers. The 5.135.183[.]154 IP also hosted the misdepatrment[.]com domain before it was potentially used in the DNC attack from a dedicated server at the FANCY BEAR 45.32.129[.]185 IP identified by CrowdStrike.

The adobeupdater[.]org domain was registered by the same email, vrickson@mail[.]com, that was used to register the FANCY BEAR-attributed domain ssl-icloud[.]com. Finally, two domains spoofing Intel and one spoofing Honeywell were all registered on February 17, 2016.

It is important to note that we cannot immediately confirm that these domains are hosting malware or are otherwise attributable to malicious APT activity; however, they deserve additional scrutiny due to the patterns identified above, the fact that they use a Bitcoin name server, and that they emulate legitimate organizations. The Start of Authority (SOA) and WHOIS records for these domains confirm that they were not registered by the spoofed organization. Setting alerting capabilities to identify domains that use a bitcoin name server AND were registered using a free webmail account (such as chewiemail[.]com or mail[.]com) may provide an organization with more specific alerts that are useful for both analytic and defensive efforts.

Many of these domain squats are consistent with those that APT actors leverage in their operations, including those targeting NATO, news websites, or Intel. After registering domains like these, APTs can quickly use them in multiple phases of their operation ranging from delivery to command and control.

Previous FANCY BEAR Name Server Activity

This isn't the first time that various FANCY BEAR infrastructure has leveraged the same technique and used smaller name servers. We reviewed a report from Trend Micro that detailed some domains that had been used in previous FANCY BEAR attacks. Four of the eight domains detailed in the report were likely registered using the same hosting services. These domains initially used the same XtraOrbit name server and later transferred to another XtraOrbit name server before they were published in the report:

Domain Initial Name Server Second Name Server
vice-news[.]com xtraorbit[.]com xo.earth.orderbox-dns.com
eurosatory2014[.]com xtraorbit[.]com xo.earth.orderbox-dns.com
webmail-saic[.]com xtraorbit[.]com xo.earth.orderbox-dns.com
natoexhibitionff14[.]com xtraorbit[.]com xo.earth.orderbox-dns.com
tolonevvs[.]com carbon2u[.]com Parked after report
mail.hm.qov[.]hu N/A N/A
log-in-osce[.]org N/A N/A
academl[.]com trademarkarea[.]com Parked after report

Leveraging DomainTools, we were able to identify that only 466 domains currently use the xtraorbit[.]com name server. Then using ThreatConnect's Analyze function, we were able to identify that at least 17 of those domains had been attributed to FANCY BEAR. The concentration of malicious domains on this name server again demonstrates that analysis of name servers can facilitate analytic efforts against such APT groups.

Conclusion

Bitcoin hosting services and name servers are not limited to what we showed here. In the course of our research, we identified at least three other distinct name servers that were dedicated to bitcoin hosting services: domains4bitcoins.*.orderbox-dns[.]com, *.domains4bitcoins[.]com, and *.domains4bitcoins-parking[.]com. Some domains associated with these name servers were also incorporated into 20160616B: Suspicious Domains on Bitcoin DNS Nameservers.

Also, shady name server activity isn't restricted to bitcoin services. We identified other name servers hosting a concentration of malicious APT domains. And, as more domains are registered through services like these or transferred to these name servers on a daily basis, it is worthwhile to monitor such activity and incorporate it into your organization's analytic and defensive efforts.

Read the full series of ThreatConnect posts following the DNC Breach: "Rebooting Watergate: Tapping into the Democratic National Committee", "Shiny Object? Guccifer 2.0 and the DNC Breach", "What's in a Name Server?", "Guccifer 2.0: the Man, the Myth, the Legend?", "Guccifer 2.0: All Roads Lead to Russia", "FANCY BEAR Has an (IT) Itch that They Can't Scratch", "Does a BEAR Leak in the Woods?", "Russian Cyber Operations on Steroids", and "Can a BEAR Fit Down a Rabbit Hole?".

 

 

ABOUT THE AUTHOR

The ThreatConnect Research Team: is an elite group of globally-acknowledged cybersecurity experts, dedicated to tracking down existing and emerging cyber threats. We scrutinize trends, technology and socio-political motivators to develop comprehensive knowledge of the cyber landscape. Then, we share what we’ve learned so that you can protect your organization, and your team can take precise action against threats.