Channel: CodeSection,代码区,网络安全 - CodeSec
Viewing all articles
Browse latest Browse all 12749

Chasing the Storm


In this blog, we’ll discuss new tactics used in Hailstorm campaigns. Thesenew tactics includeinfecting systems with a trojan for sending out spam, and leveraging a single systemfor hosting a large number of sites in which spam recipients are directed towards. Investigating one such system, we uncovered 11,769 hostnames with1,719 domains (2LD+TLD), each of which may serve spam content.

In this analysis of the campaign we’llcombine a mixture of methodsfrom DNS traffic analysis, malware hunting, and sandbox analysis to expand our coverage.

Below you’ll find sections including:

Traffic Analysis : Looking more closely at the hosting IPs popularity. Hunting : Having identified a hosting IP, we pivot through the hostnames identifying new hosting IPs and registrants. Analyzing : Statistical properties in the distribution of subdomains. Malware Analysis : Analyzing related hashes and samples. HOSTING IPPOPULARITY We were first notified of the hosting IP 95.31.22[.]193 having unusual volume of popularity within the last couple days. Below is an example of what we were seeing.
Chasing the Storm
FIGURE: 95.31.22[.]193 popularity over the last three weeks.

In this plot, along with a more raw popularity, you see a 12-hour moving average to better capture the underlying trend. Notice, what piqued our interest is the larger than normal amount of popularity to this hosting IP in the last few days.

HAILSTORM DOMAINS AND HOSTNAMES This hosting IP 95.31.22[.]193 was hosting confirmed hailstorm domains. For example: vmiller.winnifredrobenia[.]win barrie.winnifredrobenia[.]win cdavila.winnifredrobenia[.]win jeffunderwood.winnifredrobenia[.]win jjefferson.winnifredrobenia[.]win kenneth.winnifredrobenia[.]win leonardperez.winnifredrobenia[.]win

Note: Additional domains at the bottom of the blog.

Now, these subdomains appear to be random words rather than random characters.

On this hosting IP alone you’ll find 11,769 hostnames made of 1,719 domains (2LD+TLD). Below is the distribution of the number of subdomains per domain on this hosting IP.

Chasing the Storm
Chasing the Storm

FIGURE: Two histograms of the distribution of the number of subdomains to domains. LEFT: graph of all domains. RIGHT: graph of only domains with 5 or more subdomains (185 total domains).


Once we found the hosting IP of these hailstorm domains, it was only the beginning.

This domain winnifredrobenia[.]win, which we observed hosted on the IP 95.31.22[.]193 was seen sent out in email messages we observed from analyzing this trojan in a sandbox environment;

SHA256: e3126968891a813103e4b9a59d31551e73535d5e4cf791da3e661413dca77e12

Chasing the Storm
FIGURE: Spam email with a link to winnifredrobenia[.]win

This trojan will enlist the infected host into the malicious actor’s spam botnet. This technique of sending spam from numerous network locations of infected hosts makes it difficult to stop entirely, since there is no central location of origin.

The file was dropped from pubsearch[.]ru which we have seen hosted on the IP 134.119.218[.]182.

This is yet another part of the Hailstorm infrastructure. This hosting IP is using the same tactic of registering many new subdomains on a daily basis.

Chasing the Storm

FIGURE: Example of Investigate view of 2LD and 3LD domains on hosting IP

Cisco Umbrella continues to track these Hailstorm campaignsand their infrastructure through IP addresses, domains and email registrants.


The below email registrants have registered domains associated with this wave of Hailstorm:

bossraz@ya[.]ru veremeikom@gmail[.]com andrejn797@gmail[.]com fsn.vladimir@gmail[.]com nbelikov11@gmail[.]com radanatoliy@gmail[.]com bossraz@yandex[.]net alexstoiev123@gmail[.]com darat@xrbox[.]com

A sample of IPs:

134.119.218[.]182 146.255.193[.]186 93.186.192[.]94 85.25.210[.]136 213.159.212[.]211 193.124.179[.]165 134.119.218[.]179 93.186.196[.]16 176.123.2[.]249 5.9.55[.]110 5.178.83[.]50 176.31.106[.]23 185.31.161[.]198 176.31.106[.]23 95.31.22[.]193

Hashes communicating with Hailstorm domains and IPs:






A sample ofdomains:

www684.alanwinnifredrobenia[.]win www878.andrea.winnifredrobenia[.]win www521.arb.winnifredrobenia[.]win www563.bdeese.winnifredrobenia[.]win www585.bengel.winnifredrobenia[.]win www.casey.winnifredrobenia[.]win www274.charlesprice.winnifredrobenia[.]win www283.cristobr.winnifredrobenia[.]win www190.dmoultonwinnifredrobenia[.]win www874.dmoultonwinnifredrobenia[.]win www195.ealesmultotec.winnifredrobenia[.]win www751.hcortez.winnifredrobenia[.]win www868.ianclapp.winnifredrobenia[.]win www729.jatkins.winnifredrobenia[.]win www903.jonhunt.winnifredrobenia[.]win www459.jstevens.winnifredrobenia[.]win www821.jzhang.winnifredrobenia[.]win www476.lj.winnifredrobenia[.]win www456.lj.winnifredrobenia[.]win www457.lj.winnifredrobenia[.]win www504.lnunes.winnifredrobenia[.]win www717.mike.winnifredrobenia[.]win www935.mpennwinnifredrobenia[.]win www996.nguyenconglap.winnifredrobenia[.]win www118.nic.winnifredrobenia[.]win www746.nic.winnifredrobenia[.]win www934.nic.winnifredrobenia[.]win www911.nick.winnifredrobenia[.]win www300.obienichols.winnifredrobenia[.]win www587.paul.winnifredrobenia[.]win www828.peter.winnifredrobenia[.]win www771.pistininzi.winnifredrobenia[.]win www331.psimoslaw.winnifredrobenia[.]win www920.richardbishop.winnifredrobenia[.]win www214.roel.winnifredrobenia[.]win www310.rsbr.winnifredrobenia[.]win www336.vinnycarey.winnifredrobenia[.]win www734.vinnycarey.winnifredrobenia[.]win winnifredrobenia[.]win bill.winnifredrobenia[.]win dillingham.winnifredrobenia[.]win dkey.winnifredrobenia[.]win garywright.winnifredrobenia[.]win jakedaigle.winnifredrobenia[.]win josephhenthornwinnifredrobenia[.]win liz.winnifredrobenia[.]win makethecall.winnifredrobenia[.]win mlkgoldens.winnifredrobenia[.]win molloym.winnifredrobenia[.]win nic.winnifredrobenia[.]win ns1.winnifredrobenia[.]win ns2.winnifredrobenia[.]win pastorjeff.winnifredrobenia[.]win patrick.winnifredrobenia[.]win toolmanwinnifredrobenia[.]win vmiller.winnif

Viewing all articles
Browse latest Browse all 12749