Tales from the Hunt: A Look at Yakit Security Tool

Tales from the Hunt: A Look at Yakit Security Tool

Published on

Published on

Published on

May 28, 2024

May 28, 2024

May 28, 2024

Tales from the Hunt: A Look at Yakit Security Tool
Tales from the Hunt: A Look at Yakit Security Tool
Tales from the Hunt: A Look at Yakit Security Tool
TABLE OF CONTENTS

Introduction

In our previous post on the Viper framework, we briefly covered the Yakit Security tool, which is publicly available on GitHub. In this post, we'll discuss its features and cover additional red team tools co-hosted with the project, as discovered during our internet-wide scans.

First released on GitHub in late 2021, the Yakit developers describe the tool as an "all-in-one platform based on Yaklang," a cybersecurity domain-specific language that offers man-in-the-middle interception capabilities, web fuzzing and scanning, and a plugin store.

httpshuntioimagesblogstales-from-huntf1webp

The Yakit platform ships with a team server and server for the man-in-the-middle function. The Yakit Team Server and the interception platform ship with default TLS certificates, which can be leveraged to identify Yakit instances in the wild.

Examples of the standard certificates can be seen below in Figure 2.

httpshuntioimagesblogstales-from-huntf2webp
Figure 2: Example Yakit certificates

Identifying Yakit Infrastructure With Hunt

Following the Viper post, we initiated scans for Yakit installations, identifying 34 unique IP addresses across the internet. It should be noted that this count does not include instances where operators have replaced the default certificates with their own. Figure 3 below shows a snippet of the addresses discovered and available to our customers.

httpshuntioimagesblogstales-from-huntf3webp
Figure 3: Screenshot of Yakit instances

According to our visibility, the most popular port for Yakit is 8087, with nearly half of the IP addresses identified using that port. The remaining ports are in the same range, including some in the 60-thousand range. Interestingly, we have not observed any instances using well-known ports such as 443 or 8443.

Given that the group behind Yakit, Yaklang, appears to be based in China, it is unsurprising that many companies hosting the tool are commonly used across Asia. Figure 4 shows the top hosts and the most popular countries for Yakit.

httpshuntioimagesblogstales-from-huntf4webp
Figure 4: Hunt findings for Yakit hosting

Yakit Infrastructure: What We Found

It is important to note that using Yakit does not necessarily indicate malicious activity. Red teamers and researchers often use this tool for legitimate purposes. Below, we'll examine some additional tools we found alongside Yakit, including ARL, Viper, SuperShell, Cobalt Strike (CS) with watermarks associated with malicious operations, and a few Cobalt Strike Cat servers.

We'll start with IP address 111.229.186_39, hosted by Tencent and located in China.

httpshuntioimagesblogstales-from-huntf5webp
Figure 5: Yakit Team Server IP

This IP address currently hosts a Yakit Team Server and, a few weeks ago, the open-source tool Asset Reconnaissance Lighthouse (ARL). You may have also noticed a wildcard certificate for chinaunicom[.]xyz, likely spoofing the legitimate China Unicom telecommunications company.

Users familiar with the Hunt platform can quickly unearth infrastructure using the same certificate by clicking the "Certificate IPs" button, as seen in the above image. Figure 6 shows the results of that pivot, identifying a single IP address using the spoofed certificate. 124.223.189_15 also previously hosted a Cobalt Strike team server using the commonly seen "Major Cobalt Strike" in its certificate.

httpshuntioimagesblogstales-from-huntf6webp
Figure 6: Certificate pivot in Hunt

Next, let's examine some of the Cobalt Strike watermarks we've encountered. The first, 987654321, needs no introduction and has been linked to numerous intrusions. Additional IPs using the watermark and Yakit:

  • 154.12.31_24
  • 116.205.188_138.

If you want to analyze samples using this configuration, check out ThreatFox.

httpshuntioimagesblogstales-from-huntf7webp
Figure 7: Screenshot of Cobalt Strike watermark associations

The IP address ending in .24 is also likely hosting Cobalt Strike Cat, a modified version of the original Red Team tool. Cat's default certificate is C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=*.microsoft. com.

I covered this finding in a tweet earlier this year:
https://twitter.com/nahamike01/status/1744479244275818893

See Figure 8 for the certificate below.

httpshuntioimagesblogstales-from-huntf8webp
Figure 8: Possible Cobalt Strike Cat certificate

The following IP address, 64.176.168_194, uses the "Major Cobalt Strike" certificate common name for the team server. However, this certificate is less common than you might think. Clicking on "Certificate IPs," Hunt identifies three additional IP addresses.

In addition to Cobalt Strike, these IP addresses hosted ARL and mitmproxy, an open-source HTTPS proxy.

httpshuntioimagesblogstales-from-huntf9webp
Figure 9: Cobalt Strike & Yakit team servers
httpshuntioimagesblogstales-from-huntf10webp
Figure 10: Certificate pivot in Hunt

Multiple security vendors have linked watermark 391144938 (see this Dec 2023 post/tweet by Group-IB) to malicious activity, including HsHarada/Rapture ransomware. The final Yakit/CS server to be covered is 47.98.251_131.

Hunt's scanners have found 169 IPs sharing the same configuration. All of which can be analyzed with a simple mouse click.

httpshuntioimagesblogstales-from-huntf11webp
Figure 11: CS watermark IP

Finally, we'll examine a server that, as of May 9, was hosting a SuperShell C2 server, an open-source platform we covered not too long ago. Using Hunt's Port History feature, we can see how different ports and protocols responded to our scans. The SuperShell login can be seen in Figure 12 below at port 8888.

httpshuntioimagesblogstales-from-huntf12webp
Figure 12: SuperShell login at port 8888

First seen in November 2023, this same IP recently hosted a Cobalt Strike Cat team server, as shown below, using the SSL History feature.

httpshuntioimagesblogstales-from-huntf13webp
Figure 13: Possible Cobalt Strike Cat certificate

Stay Ahead of Threats With Hunt

Hunt's scans have revealed a range of tools and activities associated with Yakit infrastructure. While the presence of Yakit and related tools like ARL, Viper, and Cobalt Strike can indicate legitimate red teaming and research efforts, they also highlight the need for vigilant monitoring.

Our findings underscore the importance of thorough reconnaissance and continuous analysis to stay ahead of potential threats. To stay ahead of emerging threats, we encourage defenders and researchers alike to apply for an account with Hunt and gain access to comprehensive scans and detailed insights to highlight adversary infrastructure.

TABLE OF CONTENTS

Introduction

In our previous post on the Viper framework, we briefly covered the Yakit Security tool, which is publicly available on GitHub. In this post, we'll discuss its features and cover additional red team tools co-hosted with the project, as discovered during our internet-wide scans.

First released on GitHub in late 2021, the Yakit developers describe the tool as an "all-in-one platform based on Yaklang," a cybersecurity domain-specific language that offers man-in-the-middle interception capabilities, web fuzzing and scanning, and a plugin store.

httpshuntioimagesblogstales-from-huntf1webp

The Yakit platform ships with a team server and server for the man-in-the-middle function. The Yakit Team Server and the interception platform ship with default TLS certificates, which can be leveraged to identify Yakit instances in the wild.

Examples of the standard certificates can be seen below in Figure 2.

httpshuntioimagesblogstales-from-huntf2webp
Figure 2: Example Yakit certificates

Identifying Yakit Infrastructure With Hunt

Following the Viper post, we initiated scans for Yakit installations, identifying 34 unique IP addresses across the internet. It should be noted that this count does not include instances where operators have replaced the default certificates with their own. Figure 3 below shows a snippet of the addresses discovered and available to our customers.

httpshuntioimagesblogstales-from-huntf3webp
Figure 3: Screenshot of Yakit instances

According to our visibility, the most popular port for Yakit is 8087, with nearly half of the IP addresses identified using that port. The remaining ports are in the same range, including some in the 60-thousand range. Interestingly, we have not observed any instances using well-known ports such as 443 or 8443.

Given that the group behind Yakit, Yaklang, appears to be based in China, it is unsurprising that many companies hosting the tool are commonly used across Asia. Figure 4 shows the top hosts and the most popular countries for Yakit.

httpshuntioimagesblogstales-from-huntf4webp
Figure 4: Hunt findings for Yakit hosting

Yakit Infrastructure: What We Found

It is important to note that using Yakit does not necessarily indicate malicious activity. Red teamers and researchers often use this tool for legitimate purposes. Below, we'll examine some additional tools we found alongside Yakit, including ARL, Viper, SuperShell, Cobalt Strike (CS) with watermarks associated with malicious operations, and a few Cobalt Strike Cat servers.

We'll start with IP address 111.229.186_39, hosted by Tencent and located in China.

httpshuntioimagesblogstales-from-huntf5webp
Figure 5: Yakit Team Server IP

This IP address currently hosts a Yakit Team Server and, a few weeks ago, the open-source tool Asset Reconnaissance Lighthouse (ARL). You may have also noticed a wildcard certificate for chinaunicom[.]xyz, likely spoofing the legitimate China Unicom telecommunications company.

Users familiar with the Hunt platform can quickly unearth infrastructure using the same certificate by clicking the "Certificate IPs" button, as seen in the above image. Figure 6 shows the results of that pivot, identifying a single IP address using the spoofed certificate. 124.223.189_15 also previously hosted a Cobalt Strike team server using the commonly seen "Major Cobalt Strike" in its certificate.

httpshuntioimagesblogstales-from-huntf6webp
Figure 6: Certificate pivot in Hunt

Next, let's examine some of the Cobalt Strike watermarks we've encountered. The first, 987654321, needs no introduction and has been linked to numerous intrusions. Additional IPs using the watermark and Yakit:

  • 154.12.31_24
  • 116.205.188_138.

If you want to analyze samples using this configuration, check out ThreatFox.

httpshuntioimagesblogstales-from-huntf7webp
Figure 7: Screenshot of Cobalt Strike watermark associations

The IP address ending in .24 is also likely hosting Cobalt Strike Cat, a modified version of the original Red Team tool. Cat's default certificate is C=US, ST=WA, L=Redmond, O=Microsoft Corporation, OU=Microsoft Corporation, CN=*.microsoft. com.

I covered this finding in a tweet earlier this year:
https://twitter.com/nahamike01/status/1744479244275818893

See Figure 8 for the certificate below.

httpshuntioimagesblogstales-from-huntf8webp
Figure 8: Possible Cobalt Strike Cat certificate

The following IP address, 64.176.168_194, uses the "Major Cobalt Strike" certificate common name for the team server. However, this certificate is less common than you might think. Clicking on "Certificate IPs," Hunt identifies three additional IP addresses.

In addition to Cobalt Strike, these IP addresses hosted ARL and mitmproxy, an open-source HTTPS proxy.

httpshuntioimagesblogstales-from-huntf9webp
Figure 9: Cobalt Strike & Yakit team servers
httpshuntioimagesblogstales-from-huntf10webp
Figure 10: Certificate pivot in Hunt

Multiple security vendors have linked watermark 391144938 (see this Dec 2023 post/tweet by Group-IB) to malicious activity, including HsHarada/Rapture ransomware. The final Yakit/CS server to be covered is 47.98.251_131.

Hunt's scanners have found 169 IPs sharing the same configuration. All of which can be analyzed with a simple mouse click.

httpshuntioimagesblogstales-from-huntf11webp
Figure 11: CS watermark IP

Finally, we'll examine a server that, as of May 9, was hosting a SuperShell C2 server, an open-source platform we covered not too long ago. Using Hunt's Port History feature, we can see how different ports and protocols responded to our scans. The SuperShell login can be seen in Figure 12 below at port 8888.

httpshuntioimagesblogstales-from-huntf12webp
Figure 12: SuperShell login at port 8888

First seen in November 2023, this same IP recently hosted a Cobalt Strike Cat team server, as shown below, using the SSL History feature.

httpshuntioimagesblogstales-from-huntf13webp
Figure 13: Possible Cobalt Strike Cat certificate

Stay Ahead of Threats With Hunt

Hunt's scans have revealed a range of tools and activities associated with Yakit infrastructure. While the presence of Yakit and related tools like ARL, Viper, and Cobalt Strike can indicate legitimate red teaming and research efforts, they also highlight the need for vigilant monitoring.

Our findings underscore the importance of thorough reconnaissance and continuous analysis to stay ahead of potential threats. To stay ahead of emerging threats, we encourage defenders and researchers alike to apply for an account with Hunt and gain access to comprehensive scans and detailed insights to highlight adversary infrastructure.

Related Posts:

Dec 20, 2024

Discover Hunt.io's 2024 highlights: major product launches, innovations like AttackCapture™, C2 Feed, and Hunt SQL, and a look ahead to 2025.

Dec 20, 2024

Discover Hunt.io's 2024 highlights: major product launches, innovations like AttackCapture™, C2 Feed, and Hunt SQL, and a look ahead to 2025.

Oyster’s Trail: Resurgence of Infrastructure Linked to Ransomware and Cybercrime Actors
Dec 12, 2024

Our latest analysis uncovers domains linked to the Oyster backdoor, revealing suspected Vanilla Tempest infrastructure and offering insights into server configuration patterns.

Oyster’s Trail: Resurgence of Infrastructure Linked to Ransomware and Cybercrime Actors
Dec 12, 2024

Our latest analysis uncovers domains linked to the Oyster backdoor, revealing suspected Vanilla Tempest infrastructure and offering insights into server configuration patterns.

“Million OK!!!!” and the Naver Facade: Tracking Recent Suspected Kimsuky Infrastructure
Dec 10, 2024

Learn how the 'Million OK!!!' HTTP response previously linked to Kimsuky has reappeared on new IPs and domains. This update provides the latest insights into evolving infrastructure, helping defenders stay informed on potential North Korean threat activity.

“Million OK!!!!” and the Naver Facade: Tracking Recent Suspected Kimsuky Infrastructure
Dec 10, 2024

Learn how the 'Million OK!!!' HTTP response previously linked to Kimsuky has reappeared on new IPs and domains. This update provides the latest insights into evolving infrastructure, helping defenders stay informed on potential North Korean threat activity.

MoqHao Leverages iCloud and VK in Campaign Targeting Apple IDs and Android Device
Dec 5, 2024

Discover how the MoqHao campaign leveraging iCloud and VK employs cross-platform tactics to steal credentials and distribute malicious APKs.

MoqHao Leverages iCloud and VK in Campaign Targeting Apple IDs and Android Device
Dec 5, 2024

Discover how the MoqHao campaign leveraging iCloud and VK employs cross-platform tactics to steal credentials and distribute malicious APKs.

Dec 20, 2024

Discover Hunt.io's 2024 highlights: major product launches, innovations like AttackCapture™, C2 Feed, and Hunt SQL, and a look ahead to 2025.

Oyster’s Trail: Resurgence of Infrastructure Linked to Ransomware and Cybercrime Actors
Dec 12, 2024

Our latest analysis uncovers domains linked to the Oyster backdoor, revealing suspected Vanilla Tempest infrastructure and offering insights into server configuration patterns.