Unearthing New Infrastructure by Revisiting Past Threat Reports
Published on
Published on
Published on
May 21, 2024
May 21, 2024
May 21, 2024
Introduction
Suppose you know David Bianco's "Pyramid of Pain" model. In that case, you know that IP addresses are among the lower indicators of compromise due to their short lifespan and ease of change to legitimate purposes.
However, IP-based intelligence offers valuable insights when examining commonalities (open directories, ports, etc.) across ASNs.
One way of gathering this information is by revisiting past threat reports. In this post, we'll explore how examining IP addresses from historical vendor reports can lead to discovering new attacker infrastructure, providing a window into evolving threats.
Starting Point: The Blog Post
The post we'll be referencing today is on secrss.com and details a phishing campaign attributed to the Silver Fox group targeting Chinese users with the standard GhostRAT malware and a variant first introduced on the t00ls forum dubbed "winos."
The article (published Nov 2023) provides many IP addresses and ports that we could use to find similar infrastructure within the same ASN. Instead, we will look for open directories within some of these networks and see what interesting files await our analysis.
The article on SECRSS delves into the "Silver Fox" cybercriminal group's detailed operations. So what exactly happened?
The Silver Fox group's recent phishing campaign targeted Chinese users and companies through different malicious techniques. Among those techniques, they used SEO (Search Engine Optimization) to make sure their phishing sites rank highly in Chinese search engine results.
With SEO, they used malicious ads and multiple email phishing campaigns to distribute Remote Administration Trojans (RATs) malwares (Gh0st RAT, ValleyRAT, and Sainbox RAT).
When people searched on google.cn or Telegram for example, they would get redirected to google.com.hk to receive uncensored search results filled with malicious ads, possibly from these threat actors.
Once people got phished and the group claimed access to a company's network, they disseminated the trojanized files through WeChat groups to other employees.
The Silver Fox group employed a range of Asia-based ASNs, including Tencent, CTG Server Ltd., and TCloudnet, to host its infrastructure. The section below discusses several files, from a PurpleFox rootkit sample to a few obfuscated files that lead to Python and ELF-based Meterpreter payloads.
192.253.234[.]80:8000 (CTG Server Ltd.)
The file named "0" is a Base64 and Gzip compressed PowerShell script, detected as an Empire implant according to VirusTotal. If you guessed that the names of the other two files correlate with the port each communicates with, you'd be correct.
As shown in Figure 4 below, file 47478.elf was detected by 33 vendors.
By contrast, the highly obfuscated 47477.py was only detected by 6 vendors. A snippet of the script is below.
Figure 6 depicts the script in CyberChef. We can easily decode it. However, additional obfuscated code is also within the code, copied directly from the Metasploit GitHub.
Hashes
| Filename | SHA1 |
|---|---|
| 0.ps1 | f20d5e4417061e5d86a11f601f2368a91cb7847c |
| 47477.py | 981e6c1a002636b24810863357d7cc34b04e79c3 |
| 47478.elf | 981e6c1a002636b24810863357d7cc34b04e79c3 |
Although the analyzed files might not be directly linked to the Silver Fox group, they offer valuable insight into other threat actors operating within the same ASN. This connection gives researchers and defenders a clearer understanding of the potential threats residing within specific network blocks, aiding their efforts to anticipate and mitigate risks.
206.238.196[.]240:80 (TERAEXCH/Tcloudnet)
Although HTTP File Server (HFS) instances are not well known in open directory research, many contain a wealth of information, hosting some widely known malware and some less known. If you haven't added HFS servers to your research, I suggest doing so today.
The file identified in this directory is a 32-bit Nullsoft Scriptable Install System (NSIS) Windows executable employing SEProtect for obfuscation. Although detected as PurpleFox, this executable also executes GhostRAT, reflecting tactics similar to those detailed in the Secrss article.
In addition to the exposed server querying the IP in Hunt, as recently as a few days ago, this same IP was also hosting AsyncRAT.
File Hash
| Filename | SHA1 |
|---|---|
| mngboot.exe | 9fe8436f8e1f6198b883404f0b59256b4f08bbed |
Uncovering Attacks and Threats
In this brief overview, we've demonstrated how researchers can leverage historical threat reports to uncover attacker infrastructure before it is actively employed in malicious campaigns.
Explore the past to identify future threats. By signing up for a Hunt account, you can join our efforts to track down concealed attacker infrastructure. This proactive approach helps us better understand emerging cybersecurity risks and take steps to mitigate them.
Introduction
Suppose you know David Bianco's "Pyramid of Pain" model. In that case, you know that IP addresses are among the lower indicators of compromise due to their short lifespan and ease of change to legitimate purposes.
However, IP-based intelligence offers valuable insights when examining commonalities (open directories, ports, etc.) across ASNs.
One way of gathering this information is by revisiting past threat reports. In this post, we'll explore how examining IP addresses from historical vendor reports can lead to discovering new attacker infrastructure, providing a window into evolving threats.
Starting Point: The Blog Post
The post we'll be referencing today is on secrss.com and details a phishing campaign attributed to the Silver Fox group targeting Chinese users with the standard GhostRAT malware and a variant first introduced on the t00ls forum dubbed "winos."
The article (published Nov 2023) provides many IP addresses and ports that we could use to find similar infrastructure within the same ASN. Instead, we will look for open directories within some of these networks and see what interesting files await our analysis.
The article on SECRSS delves into the "Silver Fox" cybercriminal group's detailed operations. So what exactly happened?
The Silver Fox group's recent phishing campaign targeted Chinese users and companies through different malicious techniques. Among those techniques, they used SEO (Search Engine Optimization) to make sure their phishing sites rank highly in Chinese search engine results.
With SEO, they used malicious ads and multiple email phishing campaigns to distribute Remote Administration Trojans (RATs) malwares (Gh0st RAT, ValleyRAT, and Sainbox RAT).
When people searched on google.cn or Telegram for example, they would get redirected to google.com.hk to receive uncensored search results filled with malicious ads, possibly from these threat actors.
Once people got phished and the group claimed access to a company's network, they disseminated the trojanized files through WeChat groups to other employees.
The Silver Fox group employed a range of Asia-based ASNs, including Tencent, CTG Server Ltd., and TCloudnet, to host its infrastructure. The section below discusses several files, from a PurpleFox rootkit sample to a few obfuscated files that lead to Python and ELF-based Meterpreter payloads.
192.253.234[.]80:8000 (CTG Server Ltd.)
The file named "0" is a Base64 and Gzip compressed PowerShell script, detected as an Empire implant according to VirusTotal. If you guessed that the names of the other two files correlate with the port each communicates with, you'd be correct.
As shown in Figure 4 below, file 47478.elf was detected by 33 vendors.
By contrast, the highly obfuscated 47477.py was only detected by 6 vendors. A snippet of the script is below.
Figure 6 depicts the script in CyberChef. We can easily decode it. However, additional obfuscated code is also within the code, copied directly from the Metasploit GitHub.
Hashes
| Filename | SHA1 |
|---|---|
| 0.ps1 | f20d5e4417061e5d86a11f601f2368a91cb7847c |
| 47477.py | 981e6c1a002636b24810863357d7cc34b04e79c3 |
| 47478.elf | 981e6c1a002636b24810863357d7cc34b04e79c3 |
Although the analyzed files might not be directly linked to the Silver Fox group, they offer valuable insight into other threat actors operating within the same ASN. This connection gives researchers and defenders a clearer understanding of the potential threats residing within specific network blocks, aiding their efforts to anticipate and mitigate risks.
206.238.196[.]240:80 (TERAEXCH/Tcloudnet)
Although HTTP File Server (HFS) instances are not well known in open directory research, many contain a wealth of information, hosting some widely known malware and some less known. If you haven't added HFS servers to your research, I suggest doing so today.
The file identified in this directory is a 32-bit Nullsoft Scriptable Install System (NSIS) Windows executable employing SEProtect for obfuscation. Although detected as PurpleFox, this executable also executes GhostRAT, reflecting tactics similar to those detailed in the Secrss article.
In addition to the exposed server querying the IP in Hunt, as recently as a few days ago, this same IP was also hosting AsyncRAT.
File Hash
| Filename | SHA1 |
|---|---|
| mngboot.exe | 9fe8436f8e1f6198b883404f0b59256b4f08bbed |
Uncovering Attacks and Threats
In this brief overview, we've demonstrated how researchers can leverage historical threat reports to uncover attacker infrastructure before it is actively employed in malicious campaigns.
Explore the past to identify future threats. By signing up for a Hunt account, you can join our efforts to track down concealed attacker infrastructure. This proactive approach helps us better understand emerging cybersecurity risks and take steps to mitigate them.
Related Posts:
The ToneShell backdoor, frequently associated with Mustang Panda (also known as Stately Taurus and Earth Preta...
The ToneShell backdoor, frequently associated with Mustang Panda (also known as Stately Taurus and Earth Preta...
During a recent analysis of known Latrodectus infrastructure, our research team encountered a command-and-control...
During a recent analysis of known Latrodectus infrastructure, our research team encountered a command-and-control...
We originally launched our "Open Directory" feature in Hunt a year ago. The premise behind it was to get into the mind of the attacker by get a backstage view into their attacks. What we learned was that there was a ton of information that could be correlated and indexed. Today, we're reaffirming our commitment to getting into the tooling of attackers by launching AttackCapture™ by Hunt.io.
We originally launched our "Open Directory" feature in Hunt a year ago. The premise behind it was to get into the mind of the attacker by get a backstage view into their attacks. What we learned was that there was a ton of information that could be correlated and indexed. Today, we're reaffirming our commitment to getting into the tooling of attackers by launching AttackCapture™ by Hunt.io.
In late 2023, Hunt Research published a blog post detailing how we uncover emerging and previously unknown Gophish infrastructure.
In late 2023, Hunt Research published a blog post detailing how we uncover emerging and previously unknown Gophish infrastructure.
The ToneShell backdoor, frequently associated with Mustang Panda (also known as Stately Taurus and Earth Preta...
During a recent analysis of known Latrodectus infrastructure, our research team encountered a command-and-control...
Hunt Intelligence, Inc.
Hunt Intelligence, Inc.
Hunt Intelligence, Inc.