A Simple Approach to Discovering Oyster Backdoor Infrastructure

A Simple Approach to Discovering Oyster Backdoor Infrastructure

Published on

Published on

Published on

Jul 23, 2024

Jul 23, 2024

Jul 23, 2024

A Simple Approach to Discovering Oyster Backdoor Infrastructure | Hunt.io
A Simple Approach to Discovering Oyster Backdoor Infrastructure | Hunt.io
A Simple Approach to Discovering Oyster Backdoor Infrastructure | Hunt.io
TABLE OF CONTENTS

Introduction

Oyster backdoor, also known as Broomstick (IBM) and CleanUpLoader (RussianPanda – X), has been linked to malvertising campaigns mimicking popular software. On June 21st, Rapid7 described how attackers disguised the backdoor as a Microsoft Teams installer, targeting unsuspecting users.

The malicious software collects victim information and sends it to a hard-coded C2 domain via an HTTP POST request. Malicious server administrators often leave identifiable clues in their infrastructure setup. As defenders and researchers, identifying these unique markers can help us uncover previously unreported IPs and domains.

In this post, we will examine the Oyster backdoor infrastructure, focusing on HTML titles, body hashes, and TLS certificates.

Domains Identified by Rapid7

In their blog post, Rapid7 identified three domains, the malicious DLLs, CleanUp30.dll and CleanUp.dll, attempted to communicate with:

  • supfoundrysettlers[.]us IP: 64.95.10[.]243
  • wherehomebe[.]com IP: 149.248.79[.]62
  • retdirectyourman[.]eu IP: 206.166.251[.]114

Using this information, we can analyze the above IPs and domains for any anomalies that would assist in developing a query to find additional C2 servers. We will start with the first IP, 64.95.10[.]243, and see what can be found in Hunt.

Infrastructure Analysis

Hunt identified two open ports (22 and 443) on 64.95.10[.]243. Analyzing the HTML response for port 443, depicted in Figure 1, reveals a webpage with the title and content of ‘Soon.’

While the simplicity of this webpage does not overtly indicate malicious activity, we will note this finding and proceed to investigate the TLS history for further insights.

https://app.hunt.io/images/blogs/oyster-backdoor/figure_1.webp
Figure 1: Underlined HTML title for 64.95.10[.]243 (Try it here)

An additional screenshot of the above webpage from urlscanio can be found below.

https://app.hunt.io/images/blogs/oyster-backdoor/figure_2.webp
Figure 2: Screenshot of supfoundrysettlers[.]us (Source: urlscan)

The History tab in Hunt features a time graph that helps identify overlaps in port and certificate activity. Each button is clickable and displays additional information, such as JA4X, JARM hashes, and certificate details.

As shown in Figure 3, the cert's common name matches that of the malicious domain reported in the Rapid7 report, which is still active. Additionally, a JARM hash (the yellow bar at the bottom) will be helpful when crafting our detection query.

https://app.hunt.io/images/blogs/oyster-backdoor/figure_3.webp
Figure 3: Screenshot of certificate information using the History tab

With no available pivots on port 22, SSH, or other TLS history, it’s time to focus on developing a method for identifying the backdoor. Using Let’s Encrypt certificates is common practice and would likely result in hundreds of thousands of results alone, but how many web pages have the title ‘Soon’?

To understand the prevalence, we’ll combine the cert's JARM fingerprint hash with the HTML response body hash. This approach may yield fewer results than searching for specific TLDs using Let’s Encrypt.

With that, a pseudocode query to find additional Oyster servers is
jarm_fingerprint:”15d3fd16d29d29d00042d43d000000ed1cf37c9a169b41886e27ba8fad60b0” AND http_response_hash:”0c90ad9910cfb37c9969e14388707ef765ef5e73”

Our Findings

Our detection rule for locating Oyster infrastructure flagged seven IP addresses, including the three mentioned in the Rapid7 post.

The limited number of results, combined with the already confirmed domain indicators, suggests our query is effective and likely on target until the threat actor decides to change up their C2 TTPs.

Let’s Encrypt certificates and ports remained consistent across the returned results, with one exception (193.43.104[.]208), which had ports 80 and 443 open.

A notable difference is the ASNs. The three known domains/IPs were hosted on BL Networks infrastructure, while our findings are hosted on OVH SAS.

Below are the domains we have uncovered, which have a similar naming theme to those mentioned above.

*Detailed information, including the corresponding IP addresses, can be found at the end of this article.

- codeforprofessionalusers[.]com

https://app.hunt.io/images/blogs/oyster-backdoor/figure_4.webp
Figure 4: Overview of suspected Oyster backdoor IP (Check it out here)

- postmastersoriginals[.]com

https://app.hunt.io/images/blogs/oyster-backdoor/figure_5.webp
Figure 5: Screenshot showing suspicious domain and ports 22, 443 (Check it out here)

- firstcountryours[.]eu

https://app.hunt.io/images/blogs/oyster-backdoor/figure_6.webp
Figure 6: Overview of 162.19.237[.]181 and firstcountryours[.]eu (Check it out here)

- dotnetisforchildren[.]com

https://app.hunt.io/images/blogs/oyster-backdoor/figure_7.webp
Figure 7: Screenshot of 193.43.104[.]208. Note ports 80 & 443 (link here)

To further corroborate our findings associated with the Oyster backdoor, we can analyze the domains using VirusTotal.

It's important to note that a VirusTotal score of 0 does not necessarily indicate that an IP or domain is benign; it simply suggests that additional data may be required for a definitive assessment.

Below are the results for codeforprofessionalusers[.]com and postmastersoriginals[.]com.

Notably, CleanUp.dll has been linked to the Oyster backdoor. Furthermore, additional files appear to spoof Microsoft's Defender, potentially indicating a campaign aimed at users seeking antivirus software.

https://app.hunt.io/images/blogs/oyster-backdoor/figure_8.webp
Figure 8: VirusTotal results for postmastersoriginals[.]com (Source: VT)

 

https://app.hunt.io/images/blogs/oyster-backdoor/figure_9.webp
Figure 9: Screenshot of VT results for codeforprofessionalusers[.]com (Source VirusTotal)

Digging into any one of the CleanUp.dll files in Figure 10 below reveals a positive detection for the Oyster backdoor and the /api/connectivity URL path where victim information is sent via a POST request.

Additionally, under ‘Contacted Domains,’ we see one of our other finds, firstcountryours[.]eu listed.

https://app.hunt.io/images/blogs/oyster-backdoor/figure_10.webp
Figure 10: VirusTotal results for contacted URLs and domains of CleanUp.dll (Source: VT)

Conclusion

We uncovered and validated suspected Oyster backdoor infrastructure with a relatively simple query. While identifying malicious infrastructure can sometimes be straightforward, it’s not always this easy and requires thorough analysis and strategic pivots to uncover additional C2s.

If you’d like to see how Hunt can help you expose malicious infrastructure before it’s weaponized, contact us to book a free demo today.

Network Observables

IP AddressDomainANSNotes
64.95.10[.]243supfoundrysettlers[.]usBL NetworksRapid7 Blog
149.248.79[.]62wherehomebe[.]comBL NetworksRapid7 Blog
206.166.251[.]114retdirectyourman[.]euBL NetworksRapid7 Blog
51.195.232[.]46codeforprofessionalusers[.]comOVH SASJarm fingerprint + HTML response hash
139.99.221[.]140postmastersoriginals[.]comOVH SASJarm fingerprint + HTML response hash
162.19.237[.]181firstcountryours[.]euOVH SASJarm fingerprint + HTML response hash
193.43.104[.]208dotnetisforchildren[.]comOVH SASJarm fingerprint + HTML response hash
TABLE OF CONTENTS

Introduction

Oyster backdoor, also known as Broomstick (IBM) and CleanUpLoader (RussianPanda – X), has been linked to malvertising campaigns mimicking popular software. On June 21st, Rapid7 described how attackers disguised the backdoor as a Microsoft Teams installer, targeting unsuspecting users.

The malicious software collects victim information and sends it to a hard-coded C2 domain via an HTTP POST request. Malicious server administrators often leave identifiable clues in their infrastructure setup. As defenders and researchers, identifying these unique markers can help us uncover previously unreported IPs and domains.

In this post, we will examine the Oyster backdoor infrastructure, focusing on HTML titles, body hashes, and TLS certificates.

Domains Identified by Rapid7

In their blog post, Rapid7 identified three domains, the malicious DLLs, CleanUp30.dll and CleanUp.dll, attempted to communicate with:

  • supfoundrysettlers[.]us IP: 64.95.10[.]243
  • wherehomebe[.]com IP: 149.248.79[.]62
  • retdirectyourman[.]eu IP: 206.166.251[.]114

Using this information, we can analyze the above IPs and domains for any anomalies that would assist in developing a query to find additional C2 servers. We will start with the first IP, 64.95.10[.]243, and see what can be found in Hunt.

Infrastructure Analysis

Hunt identified two open ports (22 and 443) on 64.95.10[.]243. Analyzing the HTML response for port 443, depicted in Figure 1, reveals a webpage with the title and content of ‘Soon.’

While the simplicity of this webpage does not overtly indicate malicious activity, we will note this finding and proceed to investigate the TLS history for further insights.

https://app.hunt.io/images/blogs/oyster-backdoor/figure_1.webp
Figure 1: Underlined HTML title for 64.95.10[.]243 (Try it here)

An additional screenshot of the above webpage from urlscanio can be found below.

https://app.hunt.io/images/blogs/oyster-backdoor/figure_2.webp
Figure 2: Screenshot of supfoundrysettlers[.]us (Source: urlscan)

The History tab in Hunt features a time graph that helps identify overlaps in port and certificate activity. Each button is clickable and displays additional information, such as JA4X, JARM hashes, and certificate details.

As shown in Figure 3, the cert's common name matches that of the malicious domain reported in the Rapid7 report, which is still active. Additionally, a JARM hash (the yellow bar at the bottom) will be helpful when crafting our detection query.

https://app.hunt.io/images/blogs/oyster-backdoor/figure_3.webp
Figure 3: Screenshot of certificate information using the History tab

With no available pivots on port 22, SSH, or other TLS history, it’s time to focus on developing a method for identifying the backdoor. Using Let’s Encrypt certificates is common practice and would likely result in hundreds of thousands of results alone, but how many web pages have the title ‘Soon’?

To understand the prevalence, we’ll combine the cert's JARM fingerprint hash with the HTML response body hash. This approach may yield fewer results than searching for specific TLDs using Let’s Encrypt.

With that, a pseudocode query to find additional Oyster servers is
jarm_fingerprint:”15d3fd16d29d29d00042d43d000000ed1cf37c9a169b41886e27ba8fad60b0” AND http_response_hash:”0c90ad9910cfb37c9969e14388707ef765ef5e73”

Our Findings

Our detection rule for locating Oyster infrastructure flagged seven IP addresses, including the three mentioned in the Rapid7 post.

The limited number of results, combined with the already confirmed domain indicators, suggests our query is effective and likely on target until the threat actor decides to change up their C2 TTPs.

Let’s Encrypt certificates and ports remained consistent across the returned results, with one exception (193.43.104[.]208), which had ports 80 and 443 open.

A notable difference is the ASNs. The three known domains/IPs were hosted on BL Networks infrastructure, while our findings are hosted on OVH SAS.

Below are the domains we have uncovered, which have a similar naming theme to those mentioned above.

*Detailed information, including the corresponding IP addresses, can be found at the end of this article.

- codeforprofessionalusers[.]com

https://app.hunt.io/images/blogs/oyster-backdoor/figure_4.webp
Figure 4: Overview of suspected Oyster backdoor IP (Check it out here)

- postmastersoriginals[.]com

https://app.hunt.io/images/blogs/oyster-backdoor/figure_5.webp
Figure 5: Screenshot showing suspicious domain and ports 22, 443 (Check it out here)

- firstcountryours[.]eu

https://app.hunt.io/images/blogs/oyster-backdoor/figure_6.webp
Figure 6: Overview of 162.19.237[.]181 and firstcountryours[.]eu (Check it out here)

- dotnetisforchildren[.]com

https://app.hunt.io/images/blogs/oyster-backdoor/figure_7.webp
Figure 7: Screenshot of 193.43.104[.]208. Note ports 80 & 443 (link here)

To further corroborate our findings associated with the Oyster backdoor, we can analyze the domains using VirusTotal.

It's important to note that a VirusTotal score of 0 does not necessarily indicate that an IP or domain is benign; it simply suggests that additional data may be required for a definitive assessment.

Below are the results for codeforprofessionalusers[.]com and postmastersoriginals[.]com.

Notably, CleanUp.dll has been linked to the Oyster backdoor. Furthermore, additional files appear to spoof Microsoft's Defender, potentially indicating a campaign aimed at users seeking antivirus software.

https://app.hunt.io/images/blogs/oyster-backdoor/figure_8.webp
Figure 8: VirusTotal results for postmastersoriginals[.]com (Source: VT)

 

https://app.hunt.io/images/blogs/oyster-backdoor/figure_9.webp
Figure 9: Screenshot of VT results for codeforprofessionalusers[.]com (Source VirusTotal)

Digging into any one of the CleanUp.dll files in Figure 10 below reveals a positive detection for the Oyster backdoor and the /api/connectivity URL path where victim information is sent via a POST request.

Additionally, under ‘Contacted Domains,’ we see one of our other finds, firstcountryours[.]eu listed.

https://app.hunt.io/images/blogs/oyster-backdoor/figure_10.webp
Figure 10: VirusTotal results for contacted URLs and domains of CleanUp.dll (Source: VT)

Conclusion

We uncovered and validated suspected Oyster backdoor infrastructure with a relatively simple query. While identifying malicious infrastructure can sometimes be straightforward, it’s not always this easy and requires thorough analysis and strategic pivots to uncover additional C2s.

If you’d like to see how Hunt can help you expose malicious infrastructure before it’s weaponized, contact us to book a free demo today.

Network Observables

IP AddressDomainANSNotes
64.95.10[.]243supfoundrysettlers[.]usBL NetworksRapid7 Blog
149.248.79[.]62wherehomebe[.]comBL NetworksRapid7 Blog
206.166.251[.]114retdirectyourman[.]euBL NetworksRapid7 Blog
51.195.232[.]46codeforprofessionalusers[.]comOVH SASJarm fingerprint + HTML response hash
139.99.221[.]140postmastersoriginals[.]comOVH SASJarm fingerprint + HTML response hash
162.19.237[.]181firstcountryours[.]euOVH SASJarm fingerprint + HTML response hash
193.43.104[.]208dotnetisforchildren[.]comOVH SASJarm fingerprint + HTML response hash

Related Posts:

Dec 20, 2024

Discover Hunt.io's 2024 highlights: major product launches, innovations like AttackCapture™, C2 Feed, and Hunt SQL, and a look ahead to 2025.

Dec 20, 2024

Discover Hunt.io's 2024 highlights: major product launches, innovations like AttackCapture™, C2 Feed, and Hunt SQL, and a look ahead to 2025.

Oyster’s Trail: Resurgence of Infrastructure Linked to Ransomware and Cybercrime Actors
Dec 12, 2024

Our latest analysis uncovers domains linked to the Oyster backdoor, revealing suspected Vanilla Tempest infrastructure and offering insights into server configuration patterns.

Oyster’s Trail: Resurgence of Infrastructure Linked to Ransomware and Cybercrime Actors
Dec 12, 2024

Our latest analysis uncovers domains linked to the Oyster backdoor, revealing suspected Vanilla Tempest infrastructure and offering insights into server configuration patterns.

“Million OK!!!!” and the Naver Facade: Tracking Recent Suspected Kimsuky Infrastructure
Dec 10, 2024

Learn how the 'Million OK!!!' HTTP response previously linked to Kimsuky has reappeared on new IPs and domains. This update provides the latest insights into evolving infrastructure, helping defenders stay informed on potential North Korean threat activity.

“Million OK!!!!” and the Naver Facade: Tracking Recent Suspected Kimsuky Infrastructure
Dec 10, 2024

Learn how the 'Million OK!!!' HTTP response previously linked to Kimsuky has reappeared on new IPs and domains. This update provides the latest insights into evolving infrastructure, helping defenders stay informed on potential North Korean threat activity.

MoqHao Leverages iCloud and VK in Campaign Targeting Apple IDs and Android Device
Dec 5, 2024

Discover how the MoqHao campaign leveraging iCloud and VK employs cross-platform tactics to steal credentials and distribute malicious APKs.

MoqHao Leverages iCloud and VK in Campaign Targeting Apple IDs and Android Device
Dec 5, 2024

Discover how the MoqHao campaign leveraging iCloud and VK employs cross-platform tactics to steal credentials and distribute malicious APKs.

Dec 20, 2024

Discover Hunt.io's 2024 highlights: major product launches, innovations like AttackCapture™, C2 Feed, and Hunt SQL, and a look ahead to 2025.

Oyster’s Trail: Resurgence of Infrastructure Linked to Ransomware and Cybercrime Actors
Dec 12, 2024

Our latest analysis uncovers domains linked to the Oyster backdoor, revealing suspected Vanilla Tempest infrastructure and offering insights into server configuration patterns.