Unearthing New Infrastructure by Revisiting Past Threat Reports

Unearthing New Infrastructure by Revisiting Past Threat Reports

Published on

Published on

Published on

May 21, 2024

May 21, 2024

May 21, 2024

Unearthing New Infrastructure by Revisiting Past Threat Reports
Unearthing New Infrastructure by Revisiting Past Threat Reports
Unearthing New Infrastructure by Revisiting Past Threat Reports
TABLE OF CONTENTS

Introduction

Suppose you know David Bianco's "Pyramid of Pain" model. In that case, you know that IP addresses are among the lower indicators of compromise due to their short lifespan and ease of change to legitimate purposes.

However, IP-based intelligence offers valuable insights when examining commonalities (open directories, ports, etc.) across ASNs.

One way of gathering this information is by revisiting past threat reports. In this post, we'll explore how examining IP addresses from historical vendor reports can lead to discovering new attacker infrastructure, providing a window into evolving threats.

Starting Point: The Blog Post

The post we'll be referencing today is on secrss.com and details a phishing campaign attributed to the Silver Fox group targeting Chinese users with the standard GhostRAT malware and a variant first introduced on the t00ls forum dubbed "winos."

httpshuntioimagesblogsunerthing-new-infrastructurefigure-1webp
Figure 1: Screenshot of Silver Fox blog post (Source: https://www.secrss.com/articles/60688)

The article (published Nov 2023) provides many IP addresses and ports that we could use to find similar infrastructure within the same ASN. Instead, we will look for open directories within some of these networks and see what interesting files await our analysis.

httpshuntioimagesblogsunerthing-new-infrastructurefigure-2webp
Figure 2: Just a few of the IPs found in the Secrss article

The article on SECRSS delves into the "Silver Fox" cybercriminal group's detailed operations. So what exactly happened?

The Silver Fox group's recent phishing campaign targeted Chinese users and companies through different malicious techniques. Among those techniques, they used SEO (Search Engine Optimization) to make sure their phishing sites rank highly in Chinese search engine results.

With SEO, they used malicious ads and multiple email phishing campaigns to distribute Remote Administration Trojans (RATs) malwares (Gh0st RAT, ValleyRAT, and Sainbox RAT).

When people searched on google.cn or Telegram for example, they would get redirected to google.com.hk to receive uncensored search results filled with malicious ads, possibly from these threat actors.

httpshuntioimagesblogsunerthing-new-infrastructurefigure-3-1webp
Figure 3: Search results showing malicious ads on google.com.hk that invite people to download the Telegram app

Once people got phished and the group claimed access to a company's network, they disseminated the trojanized files through WeChat groups to other employees.

The Silver Fox group employed a range of Asia-based ASNs, including Tencent, CTG Server Ltd., and TCloudnet, to host its infrastructure. The section below discusses several files, from a PurpleFox rootkit sample to a few obfuscated files that lead to Python and ELF-based Meterpreter payloads.

192.253.234[.]80:8000 (CTG Server Ltd.)

httpshuntioimagesblogsunerthing-new-infrastructurefigure-3webp
Figure 4: CTG Server Ltd. hosted open directory

The file named "0" is a Base64 and Gzip compressed PowerShell script, detected as an Empire implant according to VirusTotal. If you guessed that the names of the other two files correlate with the port each communicates with, you'd be correct.

As shown in Figure 4 below, file 47478.elf was detected by 33 vendors.

httpshuntioimagesblogsunerthing-new-infrastructurefigure-4webp
Figure 5: VirusTotal screenshot of 47478.elf

By contrast, the highly obfuscated 47477.py was only detected by 6 vendors. A snippet of the script is below.

httpshuntioimagesblogsunerthing-new-infrastructurefigure-5webp
Figure 6: Snippet of 47477.py

Figure 6 depicts the script in CyberChef. We can easily decode it. However, additional obfuscated code is also within the code, copied directly from the Metasploit GitHub.

httpshuntioimagesblogsunerthing-new-infrastructurefigure-6webp
Figure 7: Snippet of deobfuscated Python code (Source: CyberChef)

Hashes

FilenameSHA1
0.ps1f20d5e4417061e5d86a11f601f2368a91cb7847c
47477.py981e6c1a002636b24810863357d7cc34b04e79c3
47478.elf981e6c1a002636b24810863357d7cc34b04e79c3

Although the analyzed files might not be directly linked to the Silver Fox group, they offer valuable insight into other threat actors operating within the same ASN. This connection gives researchers and defenders a clearer understanding of the potential threats residing within specific network blocks, aiding their efforts to anticipate and mitigate risks.

206.238.196[.]240:80 (TERAEXCH/Tcloudnet)

Although HTTP File Server (HFS) instances are not well known in open directory research, many contain a wealth of information, hosting some widely known malware and some less known. If you haven't added HFS servers to your research, I suggest doing so today.

httpshuntioimagesblogsunerthing-new-infrastructurefigure-7webp
Figure 8: Screenshot of open directory at 206.238.196[.]240

The file identified in this directory is a 32-bit Nullsoft Scriptable Install System (NSIS) Windows executable employing SEProtect for obfuscation. Although detected as PurpleFox, this executable also executes GhostRAT, reflecting tactics similar to those detailed in the Secrss article.

httpshuntioimagesblogsunerthing-new-infrastructurefigure-8webp
Figure 9: Sandbox results of mngboot.exe (Source: https://tria.ge/240423-jj2wbsef4w/behavioral2)

In addition to the exposed server querying the IP in Hunt, as recently as a few days ago, this same IP was also hosting AsyncRAT.

httpshuntioimagesblogsunerthing-new-infrastructurefigure-9webp
Figure 10: Hunt IP History -- 206.238.196[.]240

File Hash

FilenameSHA1
mngboot.exe9fe8436f8e1f6198b883404f0b59256b4f08bbed

Uncovering Attacks and Threats

In this brief overview, we've demonstrated how researchers can leverage historical threat reports to uncover attacker infrastructure before it is actively employed in malicious campaigns.

Explore the past to identify future threats. By signing up for a Hunt account, you can join our efforts to track down concealed attacker infrastructure. This proactive approach helps us better understand emerging cybersecurity risks and take steps to mitigate them.

TABLE OF CONTENTS

Introduction

Suppose you know David Bianco's "Pyramid of Pain" model. In that case, you know that IP addresses are among the lower indicators of compromise due to their short lifespan and ease of change to legitimate purposes.

However, IP-based intelligence offers valuable insights when examining commonalities (open directories, ports, etc.) across ASNs.

One way of gathering this information is by revisiting past threat reports. In this post, we'll explore how examining IP addresses from historical vendor reports can lead to discovering new attacker infrastructure, providing a window into evolving threats.

Starting Point: The Blog Post

The post we'll be referencing today is on secrss.com and details a phishing campaign attributed to the Silver Fox group targeting Chinese users with the standard GhostRAT malware and a variant first introduced on the t00ls forum dubbed "winos."

httpshuntioimagesblogsunerthing-new-infrastructurefigure-1webp
Figure 1: Screenshot of Silver Fox blog post (Source: https://www.secrss.com/articles/60688)

The article (published Nov 2023) provides many IP addresses and ports that we could use to find similar infrastructure within the same ASN. Instead, we will look for open directories within some of these networks and see what interesting files await our analysis.

httpshuntioimagesblogsunerthing-new-infrastructurefigure-2webp
Figure 2: Just a few of the IPs found in the Secrss article

The article on SECRSS delves into the "Silver Fox" cybercriminal group's detailed operations. So what exactly happened?

The Silver Fox group's recent phishing campaign targeted Chinese users and companies through different malicious techniques. Among those techniques, they used SEO (Search Engine Optimization) to make sure their phishing sites rank highly in Chinese search engine results.

With SEO, they used malicious ads and multiple email phishing campaigns to distribute Remote Administration Trojans (RATs) malwares (Gh0st RAT, ValleyRAT, and Sainbox RAT).

When people searched on google.cn or Telegram for example, they would get redirected to google.com.hk to receive uncensored search results filled with malicious ads, possibly from these threat actors.

httpshuntioimagesblogsunerthing-new-infrastructurefigure-3-1webp
Figure 3: Search results showing malicious ads on google.com.hk that invite people to download the Telegram app

Once people got phished and the group claimed access to a company's network, they disseminated the trojanized files through WeChat groups to other employees.

The Silver Fox group employed a range of Asia-based ASNs, including Tencent, CTG Server Ltd., and TCloudnet, to host its infrastructure. The section below discusses several files, from a PurpleFox rootkit sample to a few obfuscated files that lead to Python and ELF-based Meterpreter payloads.

192.253.234[.]80:8000 (CTG Server Ltd.)

httpshuntioimagesblogsunerthing-new-infrastructurefigure-3webp
Figure 4: CTG Server Ltd. hosted open directory

The file named "0" is a Base64 and Gzip compressed PowerShell script, detected as an Empire implant according to VirusTotal. If you guessed that the names of the other two files correlate with the port each communicates with, you'd be correct.

As shown in Figure 4 below, file 47478.elf was detected by 33 vendors.

httpshuntioimagesblogsunerthing-new-infrastructurefigure-4webp
Figure 5: VirusTotal screenshot of 47478.elf

By contrast, the highly obfuscated 47477.py was only detected by 6 vendors. A snippet of the script is below.

httpshuntioimagesblogsunerthing-new-infrastructurefigure-5webp
Figure 6: Snippet of 47477.py

Figure 6 depicts the script in CyberChef. We can easily decode it. However, additional obfuscated code is also within the code, copied directly from the Metasploit GitHub.

httpshuntioimagesblogsunerthing-new-infrastructurefigure-6webp
Figure 7: Snippet of deobfuscated Python code (Source: CyberChef)

Hashes

FilenameSHA1
0.ps1f20d5e4417061e5d86a11f601f2368a91cb7847c
47477.py981e6c1a002636b24810863357d7cc34b04e79c3
47478.elf981e6c1a002636b24810863357d7cc34b04e79c3

Although the analyzed files might not be directly linked to the Silver Fox group, they offer valuable insight into other threat actors operating within the same ASN. This connection gives researchers and defenders a clearer understanding of the potential threats residing within specific network blocks, aiding their efforts to anticipate and mitigate risks.

206.238.196[.]240:80 (TERAEXCH/Tcloudnet)

Although HTTP File Server (HFS) instances are not well known in open directory research, many contain a wealth of information, hosting some widely known malware and some less known. If you haven't added HFS servers to your research, I suggest doing so today.

httpshuntioimagesblogsunerthing-new-infrastructurefigure-7webp
Figure 8: Screenshot of open directory at 206.238.196[.]240

The file identified in this directory is a 32-bit Nullsoft Scriptable Install System (NSIS) Windows executable employing SEProtect for obfuscation. Although detected as PurpleFox, this executable also executes GhostRAT, reflecting tactics similar to those detailed in the Secrss article.

httpshuntioimagesblogsunerthing-new-infrastructurefigure-8webp
Figure 9: Sandbox results of mngboot.exe (Source: https://tria.ge/240423-jj2wbsef4w/behavioral2)

In addition to the exposed server querying the IP in Hunt, as recently as a few days ago, this same IP was also hosting AsyncRAT.

httpshuntioimagesblogsunerthing-new-infrastructurefigure-9webp
Figure 10: Hunt IP History -- 206.238.196[.]240

File Hash

FilenameSHA1
mngboot.exe9fe8436f8e1f6198b883404f0b59256b4f08bbed

Uncovering Attacks and Threats

In this brief overview, we've demonstrated how researchers can leverage historical threat reports to uncover attacker infrastructure before it is actively employed in malicious campaigns.

Explore the past to identify future threats. By signing up for a Hunt account, you can join our efforts to track down concealed attacker infrastructure. This proactive approach helps us better understand emerging cybersecurity risks and take steps to mitigate them.

Related Posts:

Jun 20, 2024

In hidden corners of the Internet, open directories often serve as treasure troves, offering a glimpse into the unguarded...

Jun 20, 2024

In hidden corners of the Internet, open directories often serve as treasure troves, offering a glimpse into the unguarded...

Jun 18, 2024

The Hunt Research Team recently identified an exposed web server used to target the Taiwanese Freeway Bureau and a...

Jun 18, 2024

The Hunt Research Team recently identified an exposed web server used to target the Taiwanese Freeway Bureau and a...

Gh0st and Pantegana: Two RATs that Refuse to Fade Away
Jun 12, 2024

Gh0st and Pantegana remote access tools/trojans (RATs) may seem unlikely to be discussed, but both have made notable...

Gh0st and Pantegana: Two RATs that Refuse to Fade Away
Jun 12, 2024

Gh0st and Pantegana remote access tools/trojans (RATs) may seem unlikely to be discussed, but both have made notable...

Jun 6, 2024

In this post, we'll detail the infrastructure of the LightSpy spyware framework and highlight the unique TLS certificate...

Jun 6, 2024

In this post, we'll detail the infrastructure of the LightSpy spyware framework and highlight the unique TLS certificate...

Jun 20, 2024

In hidden corners of the Internet, open directories often serve as treasure troves, offering a glimpse into the unguarded...

Jun 18, 2024

The Hunt Research Team recently identified an exposed web server used to target the Taiwanese Freeway Bureau and a...