In this blog, we’ll discuss new tactics used in Hailstorm campaigns. Thesenew tactics includeinfecting systems with a trojan for sending out spam, and leveraging a single systemfor hosting a large number of sites in which spam recipients are directed towards. Investigating one such system, we uncovered 11,769 hostnames with1,719 domains (2LD+TLD), each of which may serve spam content.
In this analysis of the campaign we’llcombine a mixture of methodsfrom DNS traffic analysis, malware hunting, and sandbox analysis to expand our coverage.
Below you’ll find sections including:
Traffic Analysis : Looking more closely at the hosting IPs popularity. Hunting : Having identified a hosting IP, we pivot through the hostnames identifying new hosting IPs and registrants. Analyzing : Statistical properties in the distribution of subdomains. Malware Analysis : Analyzing related hashes and samples. HOSTING IPPOPULARITY We were first notified of the hosting IP 95.31.22[.]193 having unusual volume of popularity within the last couple days. Below is an example of what we were seeing.FIGURE: 95.31.22[.]193 popularity over the last three weeks.
In this plot, along with a more raw popularity, you see a 12-hour moving average to better capture the underlying trend. Notice, what piqued our interest is the larger than normal amount of popularity to this hosting IP in the last few days.
HAILSTORM DOMAINS AND HOSTNAMES This hosting IP 95.31.22[.]193 was hosting confirmed hailstorm domains. For example: vmiller.winnifredrobenia[.]win barrie.winnifredrobenia[.]win cdavila.winnifredrobenia[.]win jeffunderwood.winnifredrobenia[.]win jjefferson.winnifredrobenia[.]win kenneth.winnifredrobenia[.]win leonardperez.winnifredrobenia[.]winNote: Additional domains at the bottom of the blog.
Now, these subdomains appear to be random words rather than random characters.
On this hosting IP alone you’ll find 11,769 hostnames made of 1,719 domains (2LD+TLD). Below is the distribution of the number of subdomains per domain on this hosting IP.
FIGURE: Two histograms of the distribution of the number of subdomains to domains. LEFT: graph of all domains. RIGHT: graph of only domains with 5 or more subdomains (185 total domains).
THE NEW STORMOnce we found the hosting IP of these hailstorm domains, it was only the beginning.
This domain winnifredrobenia[.]win, which we observed hosted on the IP 95.31.22[.]193 was seen sent out in email messages we observed from analyzing this trojan in a sandbox environment;SHA256: e3126968891a813103e4b9a59d31551e73535d5e4cf791da3e661413dca77e12
FIGURE: Spam email with a link to winnifredrobenia[.]win
This trojan will enlist the infected host into the malicious actor’s spam botnet. This technique of sending spam from numerous network locations of infected hosts makes it difficult to stop entirely, since there is no central location of origin.
The file was dropped from pubsearch[.]ru which we have seen hosted on the IP 134.119.218[.]182.This is yet another part of the Hailstorm infrastructure. This hosting IP is using the same tactic of registering many new subdomains on a daily basis.
FIGURE: Example of Investigate view of 2LD and 3LD domains on hosting IP
Cisco Umbrella continues to track these Hailstorm campaignsand their infrastructure through IP addresses, domains and email registrants.
IOCSThe below email registrants have registered domains associated with this wave of Hailstorm:
bossraz@ya[.]ru veremeikom@gmail[.]com andrejn797@gmail[.]com fsn.vladimir@gmail[.]com nbelikov11@gmail[.]com radanatoliy@gmail[.]com bossraz@yandex[.]net alexstoiev123@gmail[.]com darat@xrbox[.]comA sample of IPs:
134.119.218[.]182 146.255.193[.]186 93.186.192[.]94 85.25.210[.]136 213.159.212[.]211 193.124.179[.]165 134.119.218[.]179 93.186.196[.]16 176.123.2[.]249 5.9.55[.]110 5.178.83[.]50 176.31.106[.]23 185.31.161[.]198 176.31.106[.]23 95.31.22[.]193Hashes communicating with Hailstorm domains and IPs:
d938bd8ced1534ad6939d9e168e16f62dace7194829f1ef6f326ae911ee8e9a2
e68ca920c85b7f187273c85cdd943c46aaaed057f3bf82fdcd39edb83694740b
90c31a89a9a2c402c33e2199b906768b583d0ad11a1072ad5f2e2058e992a668
e3126968891a813103e4b9a59d31551e73535d5e4cf791da3e661413dca77e12
68fd651a697119b49942381382a7646931b1eea1e0b895ebaedb0b1d5eb0fcc2
A sample ofdomains:
www684.alanwinnifredrobenia[.]win www878.andrea.winnifredrobenia[.]win www521.arb.winnifredrobenia[.]win www563.bdeese.winnifredrobenia[.]win www585.bengel.winnifredrobenia[.]win www.casey.winnifredrobenia[.]win www274.charlesprice.winnifredrobenia[.]win www283.cristobr.winnifredrobenia[.]win www190.dmoultonwinnifredrobenia[.]win www874.dmoultonwinnifredrobenia[.]win www195.ealesmultotec.winnifredrobenia[.]win www751.hcortez.winnifredrobenia[.]win www868.ianclapp.winnifredrobenia[.]win www729.jatkins.winnifredrobenia[.]win www903.jonhunt.winnifredrobenia[.]win www459.jstevens.winnifredrobenia[.]win www821.jzhang.winnifredrobenia[.]win www476.lj.winnifredrobenia[.]win www456.lj.winnifredrobenia[.]win www457.lj.winnifredrobenia[.]win www504.lnunes.winnifredrobenia[.]win www717.mike.winnifredrobenia[.]win www935.mpennwinnifredrobenia[.]win www996.nguyenconglap.winnifredrobenia[.]win www118.nic.winnifredrobenia[.]win www746.nic.winnifredrobenia[.]win www934.nic.winnifredrobenia[.]win www911.nick.winnifredrobenia[.]win www300.obienichols.winnifredrobenia[.]win www587.paul.winnifredrobenia[.]win www828.peter.winnifredrobenia[.]win www771.pistininzi.winnifredrobenia[.]win www331.psimoslaw.winnifredrobenia[.]win www920.richardbishop.winnifredrobenia[.]win www214.roel.winnifredrobenia[.]win www310.rsbr.winnifredrobenia[.]win www336.vinnycarey.winnifredrobenia[.]win www734.vinnycarey.winnifredrobenia[.]win winnifredrobenia[.]win bill.winnifredrobenia[.]win dillingham.winnifredrobenia[.]win dkey.winnifredrobenia[.]win garywright.winnifredrobenia[.]win jakedaigle.winnifredrobenia[.]win josephhenthornwinnifredrobenia[.]win liz.winnifredrobenia[.]win makethecall.winnifredrobenia[.]win mlkgoldens.winnifredrobenia[.]win molloym.winnifredrobenia[.]win nic.winnifredrobenia[.]win ns1.winnifredrobenia[.]win ns2.winnifredrobenia[.]win pastorjeff.winnifredrobenia[.]win patrick.winnifredrobenia[.]win toolmanwinnifredrobenia[.]win vmiller.winnif