How to identify potential malicious infrastructure using ThreatConnect, DomainTools, and more
All that is bad is not known
Individual indicators are often highly perishable, but understanding the patterns adversaries use to stand up infrastructure can give us a leg up by illuminating suspicious domains potentially prior to an attack. But where to start? How to avoid getting lost in an ocean of data? Here, we’ll focus on FANCY BEAR / APT28 / Sofacy as an example. Using the research methods captured in the diagram below, we identified dozens of recently registered domains and IPs that have varying levels of association to the Russian APT. We also discovered three name servers that FANCY BEAR actors most likely used for their domains — a tactic that defenders can exploit to proactively identify new domains that may be associated with FANCY BEAR activity.
Getting Started: Using Investigation Links
In reviewing domains with registration consistencies to previously identified FANCY BEAR domains, we identified the domain unisecproper[.]org and included it in our ThreatConnect Intelligence source. This domain was registered using the email address le0nard0@mail[.]com, is hosted on a dedicated server at the IP 184.108.40.206, and uses a name server that has previously been associated with FANCY BEAR activity. These consistencies are suspicious, but don’t definitively indicate this domain is in use by FANCY BEAR. So we decided to dig into it a bit more.
Below is our entry for the unisecproper[.]org domain. We used ThreatConnect’s investigation links to identify other openly available information on this domain and the IP that hosts it. These links quickly query external tools and resources such as Hurricane Electric, Robtex, and Google, for the given indicator to identify other intelligence related to it.
ThreatConnect entry for unisecproper[.]org.
In reviewing Censys for the 220.127.116.11 IP address, we identify that a web server on that IP currently uses the SSL certificate f27c4270b9b9291f465ba5962c36ce38f438377acff300b5c82b3b145f0c9e94
Additional detail on SSL certificate used on the 18.104.22.168 IP address.
Reviewing this hash in Censys identifies the SHA1 as a1833c32d5f61d6ef9d1bb0133585112069d770e. Cybersecurity researchers — including Thomas Rid and Mark Parsons — have identified that this SSL certificate has been associated with FANCY BEAR activity, including operations targeting the DNC and German Parliament. This indicates that the unisecproper[.]org domain, which is the only one hosted at this IP, most likely is associated with FANCY BEAR activity.
Additional detail on SSL certificate used on the 22.214.171.124 IP address.
Exploiting Certificate Usage
The previous link shows some cool investigative work that Mark Parsons has done by focusing on this SSL certificate. Similarly, we investigated this SSL certificate to identify other recent IPs and domains that can be associated with FANCY BEAR. Using Censys, we identified about eleven IP addresses that hosted web servers using the same certificate. Please note, during the course of this research this list of IPs changed, so it’s important to monitor changes to those IPs with web servers using this certificate.
Additional information from Censys showing other IPs where the SSL certificate is used.
We imported these IPs into ThreatConnect and then reviewed their hosting information using our Farsight DNSDB integration. From here we were able to identify the domains that were recently hosted on these IP addresses and therefore most likely are associated with FANCY BEAR activity.
ThreatConnect’s Farsight DNSDB integration entry for 126.96.36.199 IP address.
Ultimately, using passive DNS to investigate all the the IPs from Censys, we identified the following domains that were hosted at those IP addresses:
|Domain||IP Address||Registrant Email|
Several of these domains have been identified in previous research into FANCY BEAR or in network callouts in files attributed to them. These indicators identified here have been shared in incident 20170629A: Fancy Bear SSL Certificate Research.
Just Keep Digging
This was a great start. Up to now we’ve discovered at least a dozen domains and IPs that we can assess that are most likely associated with FANCY BEAR activity. But we kept digging. Once we knew the infrastructure that is most likely theirs, we sought to identify how they got this infrastructure hoping that we could identify other infrastructure with similar registration and hosting consistencies.
Nemohosts.com Name Server
We reviewed historical WHOIS information for these domains using our DomainTools Spaces App. In doing so, some interesting consistencies started standing out in a couple of the domains. As shown below, the domains neoderb[.]com, wmiapp[.]com, and connectsmd[.]net, all initially used a nemohosts[.]com name server when they were first registered suggesting that these domains were registered through the Nemohosts reseller. A review of WHOIS history indicates that only about 160 domains have used nemohosts[.]com name servers, suggesting that it is a relatively small service. Shortly after they were registered, the three domains switched to using a topdns.com name server.
ThreatConnect’s DomainTools Spaces App entries for domains hosted at previously identified IPs.
Checking out the WHOIS and hosting information for the IPs that house these domains, we identified that they are hosted on dedicated servers. Even though they are only consistent for three of the domains that we initially identified, these attributes gave us something we can use to identify other domains that have been registered and hosted in the same manner.
Using some capabilities from our friends at DomainTools, we can exploit these consistencies to identify other domains that FANCY BEAR may have also registered. We would typically use their Reverse NS capability to identify domains that were using specific name servers; however, in this case we needed to identify domains that previously used a specific name server. To that end, we used a Reverse WHOIS search to identify historical domains that used the ns1.nemohosts[.]com name server like those domains we identified above.
DomainTools Reverse WHOIS historical results for ns1.nemohosts[.]com query.
We then fed the domains from the Reverse WHOIS search into the Bulk Parsed WHOIS capability to identify current registration information for all of those domains, to include the name server currently used. From here, we identified those domains that are currently using a topdns.com name server.
DomainTools Bulk Parsed WHOIS search for identified domains using nemohosts[.]com name server.
Finally, reviewing the WHOIS records for the subset of domains that currently use a topdns[.]com name server and previously used a nemohosts[.]com, we identified those domains that were also hosted on dedicated servers.
DomainTools WHOIS record for neoderb[.]com showing use of a dedicated server.
This led us to the following domains:
It is important to note that consistencies in registration and hosting tactics do not definitively associate many of these suspicious domains with previous malicious, FANCY BEAR activity. Furthermore, we cannot immediately confirm that the domains listed above are hosting malware or are otherwise attributable to malicious APT activity; however, they deserved additional scrutiny due to the patterns identified above, and the fact that they were registered using a smaller service like Nemohosts. These domains have been shared in incident 20170620A: Nemohosts.com Name Server Suspicious Domains.
Bacloud.com Name Server
The nemohosts[.]com name server usage wasn’t the only registration and hosting tactic that stuck out from the domains that we identified through SSL certificate research. Three other domains — ndsee[.]org, zpfgr[.]com, and networkxc[.]net — all used similarly obscure name servers dns1.bacloud[.]com and dns1.laisvas[.]lt, which likely belong to the same organization operating out of Lithuania. Like previous name servers that FANCY BEAR has used, this service is also relatively small as only about 1060 domains historically have used these name servers.
ThreatConnect DomainTools Spaces App showing name servers used by ndsee[.]org and zpfgr[.]com
Both ndsee[.]org and zpfgr[.]com were also hosted at dedicated servers, so again we have a set of registration and hosting tactics for FANCY BEAR infrastructure that we can exploit. To do so, we used DomainTool’s Iris. We searched for any domains that currently use the bacloud[.]com or laisvas[.]lt name servers and were registered after July 1, 2016.
DomainTools Iris search for bacloud[.]com name servers and (below) the share hash for those interested in running the same query in Iris.
Iris Share Hash:
This gave us about 260 domains. We then used Iris’ Stats page to identify those IPs that only showed up once within the identified domains, and then evaluated those results to identify those domains that are hosted on a dedicated server.
DomainTools Iris Stats page for previous results.
Similarly, we could’ve downloaded a CSV file of these domains from Iris, done some counting and sorting, and reviewed the domains that are hosted on IPs that only show up once or twice within the CSV. These are the domains that have the best chance of being hosted on a dedicated server. We then could review the WHOIS Record for these domains in DomainTools to identify those domains that are in fact hosted on dedicated servers. This results in the below list:
As we previously highlighted, many of the suspicious domains above are not immediately attributable to any malicious activity; however, their nature and use of these name servers suggest that any network traffic to them merits additional review. These domains have been shared in incident 20170629E: Bacloud.com Name Server Research. Networkxc[.]net was hosted on a small server with only two other domains hosted at the same IP. A future iteration of this analysis should evaluate those domains bacloud[.]com domains that are also hosted on small, but non-dedicated servers.
Waiting for Known Bad is Waiting to be Had
It’s important to caveat our confidence in these indicators’ association to FANCY BEAR activity. For many of those indicators that we’ve included here, we don’t know whether they have actually been used maliciously. But if known bad is all that you are worried about or interested in, then you’ll always be at least one step behind the attacker. Only by leveraging intelligence to identify and exploit our adversaries’ tactics can we move from a reactive, whack-a-mole state to a proactive, informed defense.
Further, appropriate and effective intelligence analysis in the cyber realm has to accommodate and convey shades of gray. ThreatConnect, in addition to operating as a centralized research platform, does just that as context and attributes for indicators, incidents, campaigns, and threats can be appropriately captured and memorialized. This intelligence (note that we didn’t say indicators) can then be shared with the individuals, organizations, or communities that you need to inform to help initiate defensive action. Accordingly, our ThreatConnect Intelligence source, (available for purchase in all our products) provides not only the indicators that we identify, but context on how we identified them, what threats they are associated with, threat and confidence ratings, and the extent to which, if any, those indicators are known to have been operationalized.
In this case, we didn’t wait for knowledge of a FANCY BEAR operation to be made public. Rather, we leveraged a variety of cyber intelligence sources, tools, and capabilities to exploit their tactics and identify dozens of indicators with possible ties to FANCY BEAR. We encourage readers to do the same for their threats to not only fight them where they are, but where they will be. To maximize the impact of cyber threat intelligence at your organization, just keep digging, digging, digging.