What's in a Name Server?

BG What's in a Name Server

What’s in a Name… Server?

That which we call an APT. By any other name would smell as foul.

Read the full series of ThreatConnect posts following the DNC Breach: “Rebooting Watergate: Tapping into the Democratic National Committee“, “Shiny Object? Guccifer 2.0 and the DNC Breach“, “What’s in a Name Server?“, “Guccifer 2.0: the Man, the Myth, the Legend?“, “Guccifer 2.0: All Roads Lead to Russia“, “FANCY BEAR Has an (IT) Itch that They Can’t Scratch“, “Does a BEAR Leak in the Woods?“, “Russian Cyber Operations on Steroids“, and “Can a BEAR Fit Down a Rabbit Hole?“.

Following the lead from CrowdStrike, ThreatConnect expanded on the DNC Breach research looking at the name server hosting information for the misdepatrment[.]com spoofed domain.

Internet Contact Books

Name servers are the contact books of the Internet. A cell phone’s contact book gives someone the opportunity to forget their mom’s phone number because it automatically associates her name with her ten digit phone number. This way, after her information is in the contact book, they only have to remember her name to call her. Name servers provide a similar function – they translate domain names into difficult-to-remember IP addresses so we only have to remember the domain name. Note: the purpose of this post is not to be a DNS primer – you can learn more about DNS and how it works in this article.

Hosting services usually have their own name servers that they use for any websites that are registered through them. Also, hosting services generally use multiple name servers for their accounts to provide continuity in case one of their name servers goes down. For example, if five domains are registered through GoDaddy, all five of those domains by default will use GoDaddy name servers like NS1.GODADDY[.]COM and NS2.GODADDY[.]COM. Individuals can also choose to configure or transfer their domains so that they use other service providers’ name servers if they choose.

So What and Why You Care:

Hundreds of thousands of domains might use a single name server, but in some cases, especially for smaller hosting services, a name server may only be used for a couple of hundred domains. This can prove to be useful information as threats of all shapes and sizes – including advanced persistent threats (APTs) – will sometimes use boutique or smaller hosting services to register the domains that are used as malicious infrastructure in support of their operations. This name server information is contained in the WHOIS record for a domain and can potentially be used to identify other malicious domains that organizations may encounter related to a specific incident.

Name Servers, Bitcoins, and Bears. Oh My!

Following the lead from our friends at CrowdStrike, we expanded on the research we did into FANCY BEAR’s efforts against the DNC, where we took a look at the name server hosting information for the misdepatrment[.]com spoofed domain. Leveraging DomainTool‘s capabilities, we were able to identify that this domain was registered through the domains4bitcoins[.]com hosting service that allows customers to buy domain names with Bitcoins.

Domains4Bitcoins dnc breach

A hosting service like this is attractive to malicious actors that want to minimize the amount of attributable information that they are required to supply when purchasing domains. This service mitigates the need to supply credit cards and legitimate billing names and addresses, as the customer can simply pay from their Bitcoin wallet and use fictitious names and addresses that ultimately obfuscate their true ownership.

Some of the domains registered through this service, including misdepatrment[.]com, use multiple *.bitcoin-dns[.]hosting name servers. Using DomainTools’ Reverse NS lookup, we were able to identify about 1600 domains that also used the same name servers as misdepatrment[.]com. This set contains a wealth of domains that were previously identified as malicious, spoof or typosquat legitimate companies or organizations, or are otherwise suspicious.

Associations to Previous Activity

Leveraging ThreatConnect’s Analyze function, we were able to quickly identify the below domains that use domains4bitcoins[.]com’s name servers had been attributed to FANCY BEAR (aka APT28 and SOFACY) activity:

Threatconnect Analyze Indicators dncbreach

Analyze results for domains using the bitcoin-dns[.]hosting name server. Specific attributes below.

DomainAttributes
militaryobserver[.]netFANCY BEAR related domains. From a PWC Threat Intelligence Bulletin.
sysprofsvc[.]comLikely malicious FANCY BEAR C2 domain that overlaps with the domain winsyscheck[.]com at IP 69.90.132[.]194.
euronews24[.]infoLikely FANCY BEAR domain registered by leila77@cock[.]li
naoasch[.]comFANCY BEAR callback found in DLL MD5: 2045EFB4DA99B3AF154814888BE43390

The presence of multiple domains attributed to an APT group on this relatively small Bitcoin name server underscores the fact that using such services is likely a common tactic for malicious actors who want avoid attribution and hosting services that mitigate abusive activity. Paying in bitcoins also lessens any hassles an APT might experience in trying to register domains using foreign currency.

Criminal actors leveraging recent ransomware variants, including Locky and SamSam, request ransom payments in Bitcoins from their victims. The malicious actors can then use these Bitcoin hosting services to easily procure additional anonymous infrastructure using their ransom money. Several of the domains registered through domains4bitcoins[.]com spoof Bitcoin-related websites. For example, blockichain[.]info spoofs the Bitcoin wallet site blockchain[.]info, which has previously been spoofed in multiple phishing efforts. One possibility is that the individuals behind these operations may be using stolen Bitcoins to “feed the beast” and use stolen digital currency to procure digital infrastructure in support of future operations.

Additional Shadiness

We further reviewed the domains using domains4bitcoins[.]com’s name servers and are sharing over 400 of them in 20160616B: Suspicious Domains on Bitcoin DNS NameserversSome of the more notable domains mirror government organizations, media outlets, and technology companies or tools. Many of these organizations are ubiquitous and domains spoofing them could be used against a variety of targets:

DomainPossible Spoofed
 Organization
Create/Update
 Date
Expiration
 Date
SOA EmailRegistrant Email
adobeflashdownload[.]deAdobe11/16/15N/Aj.wang@uymail.comN/A
adobeflashplayer[.]meAdobe2/18/162/18/17play@xtcmail.comcontact@privacyprotect.org
adobeflashplayer[.]spaceAdobe2/18/162/18/17play@xtcmail.comcontact@privacyprotect.org
adobeupdater[.]orgAdobe8/10/158/10/16vrickson@mail.comvrickson@mail.com
adobeupdatetechnology[.]comAdobe5/30/165/30/17best.cameron@mail.combest.cameron@mail.com
adoble[.]netAdobe4/22/164/22/21surleoborden@gmail.comcontact@privacyprotect.org
flashplayer2015[.]xyzAdobe12/17/1512/17/16N/Ajosiekilbyav@aol.com
newflashplayer2015[.]xyzAdobe12/18/1512/18/16N/Ajosiekilbyav@aol.com
pdf-online-viewer[.]comAdobe12/11/1512/11/16weronika76@hotmail.comweronika76@hotmail.com
yourflashplayer[.]xyzAdobe12/19/1512/19/16josiekilbyav@aol.comjosiekilbyav@aol.com
akamaitechnologysupport[.]comAkamai5/27/165/27/17bergers3008@usa.combergers3008@usa.com
akamaitechupdate[.]comAkamai6/21/166/21/17guiromolly@mail.comguiromolly@mail.com
helper-akamai[.]comAkamai5/25/165/25/17N/A8yhi4xqycpzm@mail.ru
cdncloudflare[.]comCloudflare1/16/161/16/19loots@tuta.ioloots@tuta.io
cloudfiare[.]comCloudflare11/3/1511/3/16mia.konzet99@ok.demia.konzet99@ok.de
egypressoffice[.]comEgy Press9/7/159/7/16dana.raphaela@chewiemail.comdana.raphaela@chewiemail.com
access-google[.]comGoogle6/22/156/22/16abuse@opticaljungle.comv9sa2cml@instancemail.net
cdn-google[.]comGoogle5/2/165/2/17issacgolden@hmamail.comcontact@privacyprotect.org
marshmallow-google[.]comGoogle5/19/165/19/17gregorio.oconnor@hmamail.comcontact@privacyprotect.org
terms-google[.]comGoogle12/22/1512/22/16artur.klimenkov@gmail.comartur.klimenkov@gmail.com
honeyvvell[.]coHoneywell2/17/162/16/17pinfiangtw@gmail.compinfiangtw@gmail.com
thehufflngtonpost[.]comHuffington Post11/10/1511/10/16mattew.barnes@aol.comcontact@privacyprotect.org
intelintelligence[.]orgIntel2/11/162/11/17petkrist@myself.competkrist@myself.com
intelsupportcenter[.]comIntel2/17/162/17/17fisterboks@email.comfisterboks@email.com
intelsupportcenter[.]netIntel2/17/162/17/17fisterboks@email.comfisterboks@email.com
micoft[.]comMicrosoft8/8/158/8/16syst.soul@mail.comsyst.soul@mail.com
microsoft-updates[.]meMicrosoft10/7/1510/7/17m8r-abrn11@mailinator.comcontacts@up57893.in
ms-drivadptrwin[.]comMicrosoft2/24/162/24/17mr.michoverton@mail.commr.michoverton@mail.com
ms-sus6[.]comMicrosoft4/14/164/14/17ken.tanaka@mail.comcontact@privacyprotect.org
ms-updates[.]comMicrosoft12/17/1512/17/16sandra.rafaela@chewiemail.comsandra.rafaela@chewiemail.com
securesystemwin[.]comMicrosoft5/22/155/22/17bkopfer7101@mail.comcontact@privacyprotect.org
win-wnigarden[.]comMicrosoft11/25/1511/25/16pinfiangtw@gmail.compinfiangtw@gmail.com
wincodec[.]comMicrosoft12/14/1512/14/16elfreda.pollie@chewiemail.comelfreda.pollie@chewiemail.com
windowsnewupdated[.]comMicrosoft7/2/157/2/16ruzeedomeon@gmail.comcontact@privacyprotect.org
winliveupdate[.]topMicrosoft2/24/162/24/17agnasirahmedd@gmail.comagnasirahmedd@gmail.com
winninggroup-sg[.]comMicrosoft4/21/164/21/17s.penn.254@gmail.coms.penn.254@gmail.com
wm-z[.]bizMicrosoft2/20/102/19/17j.holmberg@dr.comadmin@wm-z.biz
wmepadtech[.]comMicrosoft7/22/157/22/16shawanda.kirlin37@mail.comshawanda.kirlin37@mail.com
nato-org[.]comNATO2/18/162/18/17barry.smith2004@yandex.combarry.smith2004@yandex.com
natoadviser[.]comNATO5/24/165/24/17leo.link@email.comleo.link@email.com
sec-verified[.]comSEC8/3/158/3/16cjgr8hm@gmail.comcjgr8hm@gmail.com
theguardiannews[.]orgThe Guardian12/10/1512/10/16idolbreaker@mail.comidolbreaker@mail.com
theguardianpress[.]comThe Guardian12/9/1512/9/16paulbecker@cock.lipaulbecker@cock.li
services-gov[.]co[.]ukUK Govt1/17/161/17/17saira.samosa@gmail.comN/A
goaarmy[.]orgUS Army8/16/058/16/16owen@kehoe.orgowen@kehoe.org
govsh[.]netUS Govt8/5/158/5/16noshare1024@gmail.comcontact@privacyprotect.org
wsjworld[.]comWSJ3/16/163/16/17
mishel_corp@mail.commishel_corp@mail.com

Some notable patterns stick out from the above list with respect to previously-attributed activity. Theguardianpress[.]com domain was registered using the same email domain, cock[.]li, as the naoasch[.]com and euronews24[.]info domains that were previously attributed to FANCY BEAR activity. This domain was also registered in the same timeframe as another domain, theguardiannews[.]org, which also spoofs The Guardian. Leveraging the Reverse DNS capability within the ThreatConnect platform, we are also able to quickly identify that four of the domains–adoble[.]net, wincodec[.]com, theguardiannews[.]org, and theguardianpress[.]com–previously resolved to the 5.135.183[.]154 IP address. These domains are now hosted elsewhere, with The Guardian-spoofing domains being hosted on dedicated servers. The 5.135.183[.]154 IP also hosted the misdepatrment[.]com domain before it was potentially used in the DNC attack from a dedicated server at the FANCY BEAR 45.32.129[.]185 IP identified by CrowdStrike.

The adobeupdater[.]org domain was registered by the same email, vrickson@mail[.]com, that was used to register the FANCY BEAR-attributed domain ssl-icloud[.]com. Finally, two domains spoofing Intel and one spoofing Honeywell were all registered on February 17, 2016.

It is important to note that we cannot immediately confirm that these domains are hosting malware or are otherwise attributable to malicious APT activity; however, they deserve additional scrutiny due to the patterns identified above, the fact that they use a Bitcoin name server, and that they emulate legitimate organizations. The Start of Authority (SOA) and WHOIS records for these domains confirm that they were not registered by the spoofed organization. Setting alerting capabilities to identify domains that use a bitcoin name server AND were registered using a free webmail account (such as chewiemail[.]com or mail[.]com) may provide an organization with more specific alerts that are useful for both analytic and defensive efforts.

Many of these domain squats are consistent with those that APT actors leverage in their operations, including those targeting NATO, news websites, or Intel. After registering domains like these, APTs can quickly use them in multiple phases of their operation ranging from delivery to command and control.

Previous FANCY BEAR Name Server Activity

This isn’t the first time that various FANCY BEAR infrastructure has leveraged the same technique and used smaller name servers. We reviewed a report from Trend Micro that detailed some domains that had been used in previous FANCY BEAR attacks. Four of the eight domains detailed in the report were likely registered using the same hosting services. These domains initially used the same XtraOrbit name server and later transferred to another XtraOrbit name server before they were published in the report:

DomainInitial Name ServerSecond Name Server
vice-news[.]comxtraorbit[.]comxo.earth.orderbox-dns.com
eurosatory2014[.]comxtraorbit[.]comxo.earth.orderbox-dns.com
webmail-saic[.]comxtraorbit[.]comxo.earth.orderbox-dns.com
natoexhibitionff14[.]comxtraorbit[.]comxo.earth.orderbox-dns.com
tolonevvs[.]comcarbon2u[.]comParked after report
mail.hm.qov[.]huN/AN/A
log-in-osce[.]orgN/AN/A
academl[.]comtrademarkarea[.]comParked after report

Leveraging DomainTools, we were able to identify that only 466 domains currently use the xtraorbit[.]com name server. Then using ThreatConnect’s Analyze function, we were able to identify that at least 17 of those domains had been attributed to FANCY BEAR. The concentration of malicious domains on this name server again demonstrates that analysis of name servers can facilitate analytic efforts against such APT groups.

Conclusion

Bitcoin hosting services and name servers are not limited to what we showed here. In the course of our research, we identified at least three other distinct name servers that were dedicated to bitcoin hosting services: domains4bitcoins.*.orderbox-dns[.]com, *.domains4bitcoins[.]com, and *.domains4bitcoins-parking[.]com. Some domains associated with these name servers were also incorporated into 20160616B: Suspicious Domains on Bitcoin DNS Nameservers.

Also, shady name server activity isn’t restricted to bitcoin services. We identified other name servers hosting a concentration of malicious APT domains. And, as more domains are registered through services like these or transferred to these name servers on a daily basis, it is worthwhile to monitor such activity and incorporate it into your organization’s analytic and defensive efforts.

Read the full series of ThreatConnect posts following the DNC Breach: “Rebooting Watergate: Tapping into the Democratic National Committee“, “Shiny Object? Guccifer 2.0 and the DNC Breach“, “What’s in a Name Server?“, “Guccifer 2.0: the Man, the Myth, the Legend?“, “Guccifer 2.0: All Roads Lead to Russia“, “FANCY BEAR Has an (IT) Itch that They Can’t Scratch“, “Does a BEAR Leak in the Woods?“, “Russian Cyber Operations on Steroids“, and “Can a BEAR Fit Down a Rabbit Hole?“.

 

 

About the Author
ThreatConnect Research Team

The ThreatConnect Research Team: is an elite group of globally-acknowledged cybersecurity experts, dedicated to tracking down existing and emerging cyber threats. We scrutinize trends, technology and socio-political motivators to develop comprehensive knowledge of the cyber landscape. Then, we share what we’ve learned so that you can protect your organization, and your team can take precise action against threats.