How We Identify Malicious Infrastructure At Hunt.io

How We Identify Malicious Infrastructure At Hunt.io

Published on

Published on

Published on

Jan 24, 2024

Jan 24, 2024

Jan 24, 2024

How We Identify Malicious Infrastructure At Hunt.io
How We Identify Malicious Infrastructure At Hunt.io
How We Identify Malicious Infrastructure At Hunt.io
TABLE OF CONTENTS

Introduction

ShadowPad, Quasar RAT, HeadLace, Emotet, and SIGNBT (to name a few) often grab headlines and captivate readers, leading to a long day of scouring logs and network traffic for blue teamers.

Yet, within the mentally taxing assembly instructions lies an equally significant threat -- command and control (C2) infrastructure. Malicious software without a communication link back to the operator isn't beneficial.

In this post, I'll discuss how we at Hunt identify, track, and burn malicious servers, all while keeping defenders updated on the latest threats.

Infrastructure Tracking Methods

Currently, Hunt tracks 110 (85 that are daily active) unique "Families," including information stealers, C2 frameworks, open-source offensive security tools, vulnerability scanners, and many more.

The below figure depicts what users see when navigating to the Advanced Search page.

httpshuntioimagesblogsmalicious-infrastructureimg-1-2xwebp
Figure 1: Hunt Active C2s page & top tracked servers

To stay ahead of the operationalization of these servers, Hunt's researchers identify patterns or anomalies that cause the infrastructure to stick out amongst the 1 billion plus IPv4 addresses.

This process could begin with a blog post or vendor report, an IOC database like Hunt's IOC Hunter (shameless plug), or through internet scanning.

Some areas that assist in detecting malicious infrastructure:

  • TLS/SSL certificates
  • HTTP headers
  • HTML strings
  • SSH keys
  • Domain naming conventions
  • JARM hash
  • JA4x hashes
  • TCP banners

We're all creatures of habit, including attackers; even the most advanced actor(s) has a preferred hosting provider or server software they will consistently fall back on.

Plenty of great articles have been published regarding tracking adversary infrastructure, but you're here for the method behind the madness, right?

Let's dig into a few examples!

Gh0st With a Past

Gh0st RAT (Remote Administration Tool) emerged into the public domain in 2008 and has continued its eerie presence with unrelenting momentum. With numerous variants and a recognizable network protocol, attackers haven't ceased haunting networks.

Version 3.6 includes the five-byte packet flag "Gh0st" between the victim and controller. Sounds easy to detect, right? I'll guide you (quickly) through the initial flaws in my scanning process for this RAT.

I developed a Python script to read a file of IP addresses and ports from an internet scan, send a packet consisting of random data along with the 13-byte header (5-byte "Gh0st", 4-byes packet length, and 4-byte length of packet unzipped), and output which servers responded with the matching packet flag.

*Before scanning the internet, ensure you understand applicable laws and regulations. Additionally, be a good neighbor and limit your scans to specific IP ranges.

httpshuntioimagesblogsmalicious-infrastructureimg-2-2xwebp
Figure 2: Snippet of initial Gh0st scanner

The program successfully identified known Gh0st controllers without any false positives. All done, right? Not so fast.

After discussing my new detection with a teammate, I quickly realized I could condense my script (removing the custom packet) to just a few lines.

It isn't necessary to send a custom packet to obtain the expected response. A few bytes of random data will do the trick.

httpshuntioimagesblogsmalicious-infrastructureimg-3-2xwebp
Figure 3: New code to verify Gh0st servers (Courtesy of a helpful Hunt teammate)
httpshuntioimagesblogsmalicious-infrastructureimg-4-2xwebp
Figure 4: Output of the above code

Not Your Normal ShadowPad Certificate

If tracking suspected Chinese threat actors isn't your thing, you may not know that one method to identify ShadowPad, a much-reported on RAT, is through the TLS certificate it routinely uses.

Avoiding reliance on a single indicator is essential to enhance the tracking of malicious servers. To provide the most accurate information to our users, we'll consider several factors, such as hosting provider, location, historical/recent reporting, 3rd-party detections, etc., before adding C2s to the feed.

httpshuntioimagesblogsmalicious-infrastructureimg-5-2xwebp
Figure 5: ShadowPad certificate data
httpshuntioimagesblogsmalicious-infrastructureimg-6-2xwebp
Figure 6: HTTP headers (port 443)

While hunting for suspicious servers, I stumbled upon the certificate intended to spoof Dell, which also shared HTTP headers similar to those seen in Figure 6.

httpshuntioimagesblogsmalicious-infrastructureimg-7-2xwebp
Figure 7: Odd certificate data
httpshuntioimagesblogsmalicious-infrastructureimg-8-2xwebp
Figure 8: Snippet of HTTP response (ports 80 & 443)

Results from scanning the IP addresses confirmed this was a set of malicious servers, but to which malware family they were associated was unbeknownst to me.

After consulting with fellow researchers (thanks to the Slack Hunt users), we identified that this certificate, particularly, is associated with ShadowPad.

With that, we are ready to push a query combining the certificate fields and the HTTP response to Hunt, resulting in additional infrastructure for tracking/blocking.

Reeling in an Octopus, C2

Octopus is an initial access C2 server written in Python by mhaskar and is available on GitHub. The project is a bit older than other frameworks but is still in use and serves as a great example of detecting malicious servers by simply reading the source code.

Our first step will be to focus on portions of code dealing with network connections (sending or receiving) and any HTML files the operator will interact with. What better place to start than the file "weblistener.py".

httpshuntioimagesblogsmalicious-infrastructureimg-9-2xwebp
Figure 9: Octopus HTML title and header (https://github.com/mhaskar/Octopus)

Within the above title and header tags, requests to the root directory return "Under development" and "Under development server."  These tags are helpful, but many servers likely contain similar messages.  We can use IOC Hunter or ThreatFox to find a few verified Octopus servers to gather additional information for detection..

httpshuntioimagesblogsmalicious-infrastructureimg-10-2xwebp
Figure 10: Octopus HTTP response headers

The HTML tags match the Python code in Figure 9. Adding the HTTP response and omitting any data for the Server and Date headers (as they are subject to change) to the two tags leaves us with a solid query to identify current and future Octopus infrastructure.

Conclusion

Developing a methodology that allows defenders to identify and neutralize attacker infrastructure before they have a chance to deploy their malware is critical to defending our networks. We at Hunt.io will continue unveiling these malicious networks, empowering defenders to stand up against ever-changing infrastructure procurement and employment tactics.

TABLE OF CONTENTS

Introduction

ShadowPad, Quasar RAT, HeadLace, Emotet, and SIGNBT (to name a few) often grab headlines and captivate readers, leading to a long day of scouring logs and network traffic for blue teamers.

Yet, within the mentally taxing assembly instructions lies an equally significant threat -- command and control (C2) infrastructure. Malicious software without a communication link back to the operator isn't beneficial.

In this post, I'll discuss how we at Hunt identify, track, and burn malicious servers, all while keeping defenders updated on the latest threats.

Infrastructure Tracking Methods

Currently, Hunt tracks 110 (85 that are daily active) unique "Families," including information stealers, C2 frameworks, open-source offensive security tools, vulnerability scanners, and many more.

The below figure depicts what users see when navigating to the Advanced Search page.

httpshuntioimagesblogsmalicious-infrastructureimg-1-2xwebp
Figure 1: Hunt Active C2s page & top tracked servers

To stay ahead of the operationalization of these servers, Hunt's researchers identify patterns or anomalies that cause the infrastructure to stick out amongst the 1 billion plus IPv4 addresses.

This process could begin with a blog post or vendor report, an IOC database like Hunt's IOC Hunter (shameless plug), or through internet scanning.

Some areas that assist in detecting malicious infrastructure:

  • TLS/SSL certificates
  • HTTP headers
  • HTML strings
  • SSH keys
  • Domain naming conventions
  • JARM hash
  • JA4x hashes
  • TCP banners

We're all creatures of habit, including attackers; even the most advanced actor(s) has a preferred hosting provider or server software they will consistently fall back on.

Plenty of great articles have been published regarding tracking adversary infrastructure, but you're here for the method behind the madness, right?

Let's dig into a few examples!

Gh0st With a Past

Gh0st RAT (Remote Administration Tool) emerged into the public domain in 2008 and has continued its eerie presence with unrelenting momentum. With numerous variants and a recognizable network protocol, attackers haven't ceased haunting networks.

Version 3.6 includes the five-byte packet flag "Gh0st" between the victim and controller. Sounds easy to detect, right? I'll guide you (quickly) through the initial flaws in my scanning process for this RAT.

I developed a Python script to read a file of IP addresses and ports from an internet scan, send a packet consisting of random data along with the 13-byte header (5-byte "Gh0st", 4-byes packet length, and 4-byte length of packet unzipped), and output which servers responded with the matching packet flag.

*Before scanning the internet, ensure you understand applicable laws and regulations. Additionally, be a good neighbor and limit your scans to specific IP ranges.

httpshuntioimagesblogsmalicious-infrastructureimg-2-2xwebp
Figure 2: Snippet of initial Gh0st scanner

The program successfully identified known Gh0st controllers without any false positives. All done, right? Not so fast.

After discussing my new detection with a teammate, I quickly realized I could condense my script (removing the custom packet) to just a few lines.

It isn't necessary to send a custom packet to obtain the expected response. A few bytes of random data will do the trick.

httpshuntioimagesblogsmalicious-infrastructureimg-3-2xwebp
Figure 3: New code to verify Gh0st servers (Courtesy of a helpful Hunt teammate)
httpshuntioimagesblogsmalicious-infrastructureimg-4-2xwebp
Figure 4: Output of the above code

Not Your Normal ShadowPad Certificate

If tracking suspected Chinese threat actors isn't your thing, you may not know that one method to identify ShadowPad, a much-reported on RAT, is through the TLS certificate it routinely uses.

Avoiding reliance on a single indicator is essential to enhance the tracking of malicious servers. To provide the most accurate information to our users, we'll consider several factors, such as hosting provider, location, historical/recent reporting, 3rd-party detections, etc., before adding C2s to the feed.

httpshuntioimagesblogsmalicious-infrastructureimg-5-2xwebp
Figure 5: ShadowPad certificate data
httpshuntioimagesblogsmalicious-infrastructureimg-6-2xwebp
Figure 6: HTTP headers (port 443)

While hunting for suspicious servers, I stumbled upon the certificate intended to spoof Dell, which also shared HTTP headers similar to those seen in Figure 6.

httpshuntioimagesblogsmalicious-infrastructureimg-7-2xwebp
Figure 7: Odd certificate data
httpshuntioimagesblogsmalicious-infrastructureimg-8-2xwebp
Figure 8: Snippet of HTTP response (ports 80 & 443)

Results from scanning the IP addresses confirmed this was a set of malicious servers, but to which malware family they were associated was unbeknownst to me.

After consulting with fellow researchers (thanks to the Slack Hunt users), we identified that this certificate, particularly, is associated with ShadowPad.

With that, we are ready to push a query combining the certificate fields and the HTTP response to Hunt, resulting in additional infrastructure for tracking/blocking.

Reeling in an Octopus, C2

Octopus is an initial access C2 server written in Python by mhaskar and is available on GitHub. The project is a bit older than other frameworks but is still in use and serves as a great example of detecting malicious servers by simply reading the source code.

Our first step will be to focus on portions of code dealing with network connections (sending or receiving) and any HTML files the operator will interact with. What better place to start than the file "weblistener.py".

httpshuntioimagesblogsmalicious-infrastructureimg-9-2xwebp
Figure 9: Octopus HTML title and header (https://github.com/mhaskar/Octopus)

Within the above title and header tags, requests to the root directory return "Under development" and "Under development server."  These tags are helpful, but many servers likely contain similar messages.  We can use IOC Hunter or ThreatFox to find a few verified Octopus servers to gather additional information for detection..

httpshuntioimagesblogsmalicious-infrastructureimg-10-2xwebp
Figure 10: Octopus HTTP response headers

The HTML tags match the Python code in Figure 9. Adding the HTTP response and omitting any data for the Server and Date headers (as they are subject to change) to the two tags leaves us with a solid query to identify current and future Octopus infrastructure.

Conclusion

Developing a methodology that allows defenders to identify and neutralize attacker infrastructure before they have a chance to deploy their malware is critical to defending our networks. We at Hunt.io will continue unveiling these malicious networks, empowering defenders to stand up against ever-changing infrastructure procurement and employment tactics.

Related Posts:

DarkPeony’s Trail: Certificate Patterns Point to Sustained Campaign Infrastructure
Nov 21, 2024

Explore how DarkPeony's consistent use of certificates reveals ongoing infrastructure activity, indicating consistent operations across different regions.

DarkPeony’s Trail: Certificate Patterns Point to Sustained Campaign Infrastructure
Nov 21, 2024

Explore how DarkPeony's consistent use of certificates reveals ongoing infrastructure activity, indicating consistent operations across different regions.

XenoRAT Adopts Excel XLL Files and ConfuserEx as Access Method
Nov 19, 2024

Discover XenoRAT’s adoption of Excel XLL files and Confuser’s tactical shift from its usual methods, with our insights on adapting to evolving malware techniques.

XenoRAT Adopts Excel XLL Files and ConfuserEx as Access Method
Nov 19, 2024

Discover XenoRAT’s adoption of Excel XLL files and Confuser’s tactical shift from its usual methods, with our insights on adapting to evolving malware techniques.

Targeting Innovation: Sliver C2 and Ligolo-ng Used in Operation Aimed at Y Combinator
Nov 12, 2024

Sliver C2 and Ligolo-ng join forces in a campaign likely targeting Y Combinator, revealing tactics and infrastructure aimed at the accelerator's network. Learn more.

Targeting Innovation: Sliver C2 and Ligolo-ng Used in Operation Aimed at Y Combinator
Nov 12, 2024

Sliver C2 and Ligolo-ng join forces in a campaign likely targeting Y Combinator, revealing tactics and infrastructure aimed at the accelerator's network. Learn more.

RunningRAT’s Next Move: From Remote Access to Crypto mining For Profit
Nov 5, 2024

RunningRAT has shifted from access-driven tactics to crypto mining, using open directories to stage payloads and reduce direct C2 traffic.

RunningRAT’s Next Move: From Remote Access to Crypto mining For Profit
Nov 5, 2024

RunningRAT has shifted from access-driven tactics to crypto mining, using open directories to stage payloads and reduce direct C2 traffic.

DarkPeony’s Trail: Certificate Patterns Point to Sustained Campaign Infrastructure
Nov 21, 2024

Explore how DarkPeony's consistent use of certificates reveals ongoing infrastructure activity, indicating consistent operations across different regions.

XenoRAT Adopts Excel XLL Files and ConfuserEx as Access Method
Nov 19, 2024

Discover XenoRAT’s adoption of Excel XLL files and Confuser’s tactical shift from its usual methods, with our insights on adapting to evolving malware techniques.