A Simple Approach to Discovering Oyster Backdoor Infrastructure
Published on
Published on
Published on
Jul 23, 2024
Jul 23, 2024
Jul 23, 2024
Introduction
Oyster backdoor, also known as Broomstick (IBM) and CleanUpLoader (RussianPanda – X), has been linked to malvertising campaigns mimicking popular software. On June 21st, Rapid7 described how attackers disguised the backdoor as a Microsoft Teams installer, targeting unsuspecting users.
The malicious software collects victim information and sends it to a hard-coded C2 domain via an HTTP POST request. Malicious server administrators often leave identifiable clues in their infrastructure setup. As defenders and researchers, identifying these unique markers can help us uncover previously unreported IPs and domains.
In this post, we will examine the Oyster backdoor infrastructure, focusing on HTML titles, body hashes, and TLS certificates.
Domains Identified by Rapid7
In their blog post, Rapid7 identified three domains, the malicious DLLs, CleanUp30.dll and CleanUp.dll, attempted to communicate with:
- supfoundrysettlers[.]us IP: 64.95.10[.]243
- wherehomebe[.]com IP: 149.248.79[.]62
- retdirectyourman[.]eu IP: 206.166.251[.]114
Using this information, we can analyze the above IPs and domains for any anomalies that would assist in developing a query to find additional C2 servers. We will start with the first IP, 64.95.10[.]243, and see what can be found in Hunt.
Infrastructure Analysis
Hunt identified two open ports (22 and 443) on 64.95.10[.]243. Analyzing the HTML response for port 443, depicted in Figure 1, reveals a webpage with the title and content of ‘Soon.’
While the simplicity of this webpage does not overtly indicate malicious activity, we will note this finding and proceed to investigate the TLS history for further insights.
An additional screenshot of the above webpage from urlscanio can be found below.
The History tab in Hunt features a time graph that helps identify overlaps in port and certificate activity. Each button is clickable and displays additional information, such as JA4X, JARM hashes, and certificate details.
As shown in Figure 3, the cert's common name matches that of the malicious domain reported in the Rapid7 report, which is still active. Additionally, a JARM hash (the yellow bar at the bottom) will be helpful when crafting our detection query.
With no available pivots on port 22, SSH, or other TLS history, it’s time to focus on developing a method for identifying the backdoor. Using Let’s Encrypt certificates is common practice and would likely result in hundreds of thousands of results alone, but how many web pages have the title ‘Soon’?
To understand the prevalence, we’ll combine the cert's JARM fingerprint hash with the HTML response body hash. This approach may yield fewer results than searching for specific TLDs using Let’s Encrypt.
With that, a pseudocode query to find additional Oyster servers is
jarm_fingerprint:”15d3fd16d29d29d00042d43d000000ed1cf37c9a169b41886e27ba8fad60b0” AND http_response_hash:”0c90ad9910cfb37c9969e14388707ef765ef5e73”
Our Findings
Our detection rule for locating Oyster infrastructure flagged seven IP addresses, including the three mentioned in the Rapid7 post.
The limited number of results, combined with the already confirmed domain indicators, suggests our query is effective and likely on target until the threat actor decides to change up their C2 TTPs.
Let’s Encrypt certificates and ports remained consistent across the returned results, with one exception (193.43.104[.]208), which had ports 80 and 443 open.
A notable difference is the ASNs. The three known domains/IPs were hosted on BL Networks infrastructure, while our findings are hosted on OVH SAS.
Below are the domains we have uncovered, which have a similar naming theme to those mentioned above.
*Detailed information, including the corresponding IP addresses, can be found at the end of this article.
- codeforprofessionalusers[.]com
- postmastersoriginals[.]com
- firstcountryours[.]eu
- dotnetisforchildren[.]com
To further corroborate our findings associated with the Oyster backdoor, we can analyze the domains using VirusTotal.
It's important to note that a VirusTotal score of 0 does not necessarily indicate that an IP or domain is benign; it simply suggests that additional data may be required for a definitive assessment.
Below are the results for codeforprofessionalusers[.]com and postmastersoriginals[.]com.
Notably, CleanUp.dll has been linked to the Oyster backdoor. Furthermore, additional files appear to spoof Microsoft's Defender, potentially indicating a campaign aimed at users seeking antivirus software.
Digging into any one of the CleanUp.dll files in Figure 10 below reveals a positive detection for the Oyster backdoor and the /api/connectivity URL path where victim information is sent via a POST request.
Additionally, under ‘Contacted Domains,’ we see one of our other finds, firstcountryours[.]eu listed.
Conclusion
We uncovered and validated suspected Oyster backdoor infrastructure with a relatively simple query. While identifying malicious infrastructure can sometimes be straightforward, it’s not always this easy and requires thorough analysis and strategic pivots to uncover additional C2s.
If you’d like to see how Hunt can help you expose malicious infrastructure before it’s weaponized, contact us to book a free demo today.
Network Observables
| IP Address | Domain | ANS | Notes |
|---|---|---|---|
| 64.95.10[.]243 | supfoundrysettlers[.]us | BL Networks | Rapid7 Blog |
| 149.248.79[.]62 | wherehomebe[.]com | BL Networks | Rapid7 Blog |
| 206.166.251[.]114 | retdirectyourman[.]eu | BL Networks | Rapid7 Blog |
| 51.195.232[.]46 | codeforprofessionalusers[.]com | OVH SAS | Jarm fingerprint + HTML response hash |
| 139.99.221[.]140 | postmastersoriginals[.]com | OVH SAS | Jarm fingerprint + HTML response hash |
| 162.19.237[.]181 | firstcountryours[.]eu | OVH SAS | Jarm fingerprint + HTML response hash |
| 193.43.104[.]208 | dotnetisforchildren[.]com | OVH SAS | Jarm fingerprint + HTML response hash |
Introduction
Oyster backdoor, also known as Broomstick (IBM) and CleanUpLoader (RussianPanda – X), has been linked to malvertising campaigns mimicking popular software. On June 21st, Rapid7 described how attackers disguised the backdoor as a Microsoft Teams installer, targeting unsuspecting users.
The malicious software collects victim information and sends it to a hard-coded C2 domain via an HTTP POST request. Malicious server administrators often leave identifiable clues in their infrastructure setup. As defenders and researchers, identifying these unique markers can help us uncover previously unreported IPs and domains.
In this post, we will examine the Oyster backdoor infrastructure, focusing on HTML titles, body hashes, and TLS certificates.
Domains Identified by Rapid7
In their blog post, Rapid7 identified three domains, the malicious DLLs, CleanUp30.dll and CleanUp.dll, attempted to communicate with:
- supfoundrysettlers[.]us IP: 64.95.10[.]243
- wherehomebe[.]com IP: 149.248.79[.]62
- retdirectyourman[.]eu IP: 206.166.251[.]114
Using this information, we can analyze the above IPs and domains for any anomalies that would assist in developing a query to find additional C2 servers. We will start with the first IP, 64.95.10[.]243, and see what can be found in Hunt.
Infrastructure Analysis
Hunt identified two open ports (22 and 443) on 64.95.10[.]243. Analyzing the HTML response for port 443, depicted in Figure 1, reveals a webpage with the title and content of ‘Soon.’
While the simplicity of this webpage does not overtly indicate malicious activity, we will note this finding and proceed to investigate the TLS history for further insights.
An additional screenshot of the above webpage from urlscanio can be found below.
The History tab in Hunt features a time graph that helps identify overlaps in port and certificate activity. Each button is clickable and displays additional information, such as JA4X, JARM hashes, and certificate details.
As shown in Figure 3, the cert's common name matches that of the malicious domain reported in the Rapid7 report, which is still active. Additionally, a JARM hash (the yellow bar at the bottom) will be helpful when crafting our detection query.
With no available pivots on port 22, SSH, or other TLS history, it’s time to focus on developing a method for identifying the backdoor. Using Let’s Encrypt certificates is common practice and would likely result in hundreds of thousands of results alone, but how many web pages have the title ‘Soon’?
To understand the prevalence, we’ll combine the cert's JARM fingerprint hash with the HTML response body hash. This approach may yield fewer results than searching for specific TLDs using Let’s Encrypt.
With that, a pseudocode query to find additional Oyster servers is
jarm_fingerprint:”15d3fd16d29d29d00042d43d000000ed1cf37c9a169b41886e27ba8fad60b0” AND http_response_hash:”0c90ad9910cfb37c9969e14388707ef765ef5e73”
Our Findings
Our detection rule for locating Oyster infrastructure flagged seven IP addresses, including the three mentioned in the Rapid7 post.
The limited number of results, combined with the already confirmed domain indicators, suggests our query is effective and likely on target until the threat actor decides to change up their C2 TTPs.
Let’s Encrypt certificates and ports remained consistent across the returned results, with one exception (193.43.104[.]208), which had ports 80 and 443 open.
A notable difference is the ASNs. The three known domains/IPs were hosted on BL Networks infrastructure, while our findings are hosted on OVH SAS.
Below are the domains we have uncovered, which have a similar naming theme to those mentioned above.
*Detailed information, including the corresponding IP addresses, can be found at the end of this article.
- codeforprofessionalusers[.]com
- postmastersoriginals[.]com
- firstcountryours[.]eu
- dotnetisforchildren[.]com
To further corroborate our findings associated with the Oyster backdoor, we can analyze the domains using VirusTotal.
It's important to note that a VirusTotal score of 0 does not necessarily indicate that an IP or domain is benign; it simply suggests that additional data may be required for a definitive assessment.
Below are the results for codeforprofessionalusers[.]com and postmastersoriginals[.]com.
Notably, CleanUp.dll has been linked to the Oyster backdoor. Furthermore, additional files appear to spoof Microsoft's Defender, potentially indicating a campaign aimed at users seeking antivirus software.
Digging into any one of the CleanUp.dll files in Figure 10 below reveals a positive detection for the Oyster backdoor and the /api/connectivity URL path where victim information is sent via a POST request.
Additionally, under ‘Contacted Domains,’ we see one of our other finds, firstcountryours[.]eu listed.
Conclusion
We uncovered and validated suspected Oyster backdoor infrastructure with a relatively simple query. While identifying malicious infrastructure can sometimes be straightforward, it’s not always this easy and requires thorough analysis and strategic pivots to uncover additional C2s.
If you’d like to see how Hunt can help you expose malicious infrastructure before it’s weaponized, contact us to book a free demo today.
Network Observables
| IP Address | Domain | ANS | Notes |
|---|---|---|---|
| 64.95.10[.]243 | supfoundrysettlers[.]us | BL Networks | Rapid7 Blog |
| 149.248.79[.]62 | wherehomebe[.]com | BL Networks | Rapid7 Blog |
| 206.166.251[.]114 | retdirectyourman[.]eu | BL Networks | Rapid7 Blog |
| 51.195.232[.]46 | codeforprofessionalusers[.]com | OVH SAS | Jarm fingerprint + HTML response hash |
| 139.99.221[.]140 | postmastersoriginals[.]com | OVH SAS | Jarm fingerprint + HTML response hash |
| 162.19.237[.]181 | firstcountryours[.]eu | OVH SAS | Jarm fingerprint + HTML response hash |
| 193.43.104[.]208 | dotnetisforchildren[.]com | OVH SAS | Jarm fingerprint + HTML response hash |
Related Posts:
Explore how DarkPeony's consistent use of certificates reveals ongoing infrastructure activity, indicating consistent operations across different regions.
Explore how DarkPeony's consistent use of certificates reveals ongoing infrastructure activity, indicating consistent operations across different regions.
Discover XenoRAT’s adoption of Excel XLL files and Confuser’s tactical shift from its usual methods, with our insights on adapting to evolving malware techniques.
Discover XenoRAT’s adoption of Excel XLL files and Confuser’s tactical shift from its usual methods, with our insights on adapting to evolving malware techniques.
Sliver C2 and Ligolo-ng join forces in a campaign likely targeting Y Combinator, revealing tactics and infrastructure aimed at the accelerator's network. Learn more.
Sliver C2 and Ligolo-ng join forces in a campaign likely targeting Y Combinator, revealing tactics and infrastructure aimed at the accelerator's network. Learn more.
RunningRAT has shifted from access-driven tactics to crypto mining, using open directories to stage payloads and reduce direct C2 traffic.
RunningRAT has shifted from access-driven tactics to crypto mining, using open directories to stage payloads and reduce direct C2 traffic.
Explore how DarkPeony's consistent use of certificates reveals ongoing infrastructure activity, indicating consistent operations across different regions.
Discover XenoRAT’s adoption of Excel XLL files and Confuser’s tactical shift from its usual methods, with our insights on adapting to evolving malware techniques.
Threat Hunting Platform - Hunt.io
Products
Hunt Intelligence, Inc.
Threat Hunting Platform - Hunt.io
Products
Hunt Intelligence, Inc.
Threat Hunting Platform - Hunt.io
Products
Hunt Intelligence, Inc.