WHOIS Your Daddy: Tracking Iranian-backed Cyber Operations with Passive DNS

Afternoon. We have Austin Northcut talking about tracking Iranianbacked cyber operations with passive DNS. As a reminder, uh please put all your questions on besides.org/q&a. With that, Austin, take it away. Thank you very much, Encore. All right, so welcome to Who is Your Daddy? Um, it's kind of weird being in a movie theater doing this and probably the only time it's totally cool to have your phone out in a movie theater. Um, but um, I'm not sure if you're aware, recently I can updated their domain registration uh, format requirements from who is to the registration data access protocol, also known as ARDAP. Um, but our daddy just didn't have the same ring to it. So I stuck with what we

knew. But so follow along with me. Um, I will try to leave some time for questions at the end. Uh, no promises, but if I don't, I'll hang out offside if anyone does have questions or wants to talk to me. Not expecting that, though. All right. Um, diving in. I'll give you a bottom line up front in case you're like me and get easily distracted. Um, and then we'll go through the inspiration for this work and the IOC's that came with it. Um, we'll dive into an interesting name server and then take a good look at it. Troommates. Um, lastly, I'll leave you with some research takeaways or key points. Um, but upfront, don't be

suspicious. Probably one of my favorite scenes from that show if you were a parks and wreck fan. Um, type of squatting, common well-known tactic threat actors use to avoid suspicion when they're creating malicious domains. Um however we will see here a series of thread actors who have taken their use of typos squatting further um by imitating infrastructure relying on a malicious name server um that's designed to blend in with legitimate brands or concepts. Um and then of course I'm going to guide you through how we took uh four IOC's from an open source report and turned that into over 2500. Uh my least favorite slide on this is the one about me. Uh but I'm a

solutions engineer at Domain Tools. Um formerly a cyber crime analyst at JP Morgan Chase. Uh prior life, very different world. I was a special education teacher and compliance manager. Um and probably the most important fact about me is I'm a big barbecue enthusiast. I love smoking brisket for family and friends, having people over for cookouts. It's one of the best things to do, I think. All right, diving right in. So we have uh starts with a fantastic report um on a piece of malware that was written by some researchers at checkpoint research. Um it focuses on a pre previously undocu undocumented malware variant that was dubbed bug sleep and attributed to muddy water. Um diving in muddy water aka

static kitten aka day old pizza whatever the different vendors are naming them these days. um state sponsored threat actor who conducts cyber espionage operations on behalf of Iran's Ministry of Intelligence or MOIS. Um the MOIS is akin to Russia's FSB or the Chinese uh MSS. Um they serve as Iran's primary intelligence agency and secret police. And then Moneywater primarily targets um government agencies, private entities um specifically located in the Middle East. then we'll see some of that as well. All right. Um, diving in diving into the malware uh bug fleet that Checkpoint had identified um was a custom malware variant that they observed being deployed uh for the first time in May of 2024. It functions as a

backdoor and appears to be a replacement for off-the-shelf remote management tools. Um the majority of the targeting that was observed was against um Israeli entities. Uh muddy water activity kicked off significantly or increased significantly um at the start of the Israel Hamas war um doing a lot of different types of operations. Uh so this was observed being targeted against journalists that were um opposed to um Gaza related incidents or and then also at um they targeted a lot of public utilities which is interesting. So positioning themselves within crit critical infrastructure um but we also saw targeting of Saudi Arabia and then I will kind of point out some newer um potential targeting based on some of our domains that we identify.

All right. So, the report um identifies five IOC's as domains. Um but I will tell you that four of the five are malicious. One is completely benign. Um Ignite is a file transfer site um that was being abused by Muddy Water. Not exactly a new or novel tactic. Um we've seen Dropbox, Google Drive, etc. um abused by threat actors for malware delivery. These domains served as command and control servers or C2s. Um, but they all are interesting in the fact that the four of the five uh use a naming structure that contains two to three technology themed terms. Smart cloud, company, software host. So, a little bit of typo squatting, but very generic, not really trying to blend in

with a specific brand or infrastructure. on that case there I began to dive into the infrastructure here um looking at the domain's registration record supporting infrastructure such as the IP ISPs registers registars name servers etc um and something that stuck out and you'll you can see them highlighted in blue there um four of the five domains with the exception of Ignite which is the legitimate one um all using a name server that has the has hoster daddy within it. So the three on the left are using ns1, ns2, hosterdaddy.net. Um and then we see the top right side, the smtp cloud, um is using hosterdaddy.mmarbox.org. Um but we're seeing the repeated pattern or use of

hoster daddy. Um and this really stuck out to me and I began to dive into what is hoster daddy? Um you know, from the sounds of it, is this GoDaddy related? Is this something that GoDaddy does with hosting? Um, and that's where we really began to question things here. Um, so now we'll jump into who's your daddy. Yeah, if you guys aren't looking, you're going to miss some good memes or gifs there. Okay, he's a little late to the left there. Um, so I looked at, all right, we know about a couple domains that are using Hoster Daddy uh for their name server domain. Well, who else is using it? and we identified 31 other

Apex domains using hosterdaddy.net as their name server. Um this is a fairly low number of domains for something that seems so generic, right? 31 not, you know, um it's not overly specific. And then we're trying to figure out is this related to a legitimate uh infrastructure hosting provider. Um so I wanted to compare it to the initial group I thought of which was GoDaddy. Um so I identified just a single GoDaddy name server there. Um, and I found over 3,300 domains um, sitting on that list. Obviously, what you see up there, don't bother trying to read. It's intentionally small. Um, no way I could fit 3,300 domains on there. But just the sheer scale um, or volume shows you how

different these name servers are. So, a single name server, 3,300. Um, any name server using Hoster Daddy, we had 31. So it's a little bigger. So then I wanted to look at who um so if a term phrase has been used once, my assumption is usually that it's been used twice or more. Um so I queried and looked at domains containing the term hoster daddy in them. Um and then I wanted to look at the infrastructure related. Um so here's some of the top hits that I have there. Um we have hostdaddy.info info hosted by Hosterdaddy. This is an interesting one um because it is actually using hostdaddy.net as its name server. It's the only one of these or actually yeah

it's the only one of these using it that way. Um but we see in the last in 2024 three Hosterdaddy domains were created. Um a couple of them or two of them are using Hosterdaddy Private Limited as their ISP. Um below we see Hosterdaddy.in in. Uh, one thing that's interesting or of note for that is that hosterdaddy.net andin are both actually resolving to the same IP address in their a record. Um, sharing. So, I like to refer to that as being roommates. Um, but then when you look below, hostdaddy.com, much older domain. Um, hostdaddy.com virtual private servers. Um, but they're not quite roommates with hostdaddy.net and inn. They're like they live down the street. Um, so IP is just a few steps

away. Um, living in the same network, etc. U, one thing that was proposed to me, I know I mentioned thinking Hoster Daddy's intended to imitate GoDaddy. Um, but there's also the potential that hostdaddy.net is supposed to be in u imitating hostdaddy.com and their VSSP services. Um, the only reason I would say I don't believe that's quite possible is I would think hosterdaddy.com wouldn't be so happy about that happening on their network. And um, so that would seem a little complicent or just I don't know, negligent. Uh, but that's just me. Um, but we can see that some of the domains ages at the bottom. I have godaddy.com just showing you when it was first seen,

1999, much older than any of these. Um, doesn't live anywhere near the other domains in question. Lastly, the ISP doesn't match either of being on godaddy.com's own ISP. Um, you know, the use of this different infrastructure, but also clusters of infrastructure that are together kind of uh supports that GoDaddy really isn't linked to this. Um, then I began to look into what's interesting about some of these Hosterdaddy.net um Hosterdaddy domains. So, hosted by Hosterdaddy, as I mentioned, uses hostdaddy.net net as its name server. Um but we can see a number of domains living on the same IP address there. Um most of them are using authentication or login related terms still that multi2 to three term naming

structure. Um and then living in the coms and that's then we have hosterdaddy.net.in. Um once again those two are sharing that same IP address and then they have a number of roommates. uh their roommates all use infrastructure hosting related names um that blend in. We see use of daddy again with servers daddy um hosting pi probably one of my favorite there um but yeah servers daddy your servers DNS pay attention to those they should be popping up later in our look or our report here close to the mic. Um, and of course then I also wanted to look at we know that Hoster Daddy was used as a subdomain um for one of the name servers. So I

started to look to see where else hoster daddy had been used um from a subdomain con um context. Uh I think my favorite one that of that is hosterdaddy.hostster. I was very they're very uh paternal there. Uh but we see a hostdaddy.org.com [Music] um just a number of variations of it. some of them are related and you know nested in subdomains there. Um but seeing that repeated use of it in both the apex and the FQDN or subdomain level there um next we have what's in a name server. Um and hopefully you'll see the clown car that comes out of everything that we dive into here. Um so I mentioned these domains before. I called them the

roommates or hoster daddy's roommates. Um these are the other domains sharing that same A record IP address as hosterdaddy.net. Um for IP bullet um as mentioned the infrastructure uses hoster related terminology couple terms. So we're matching that same pattern um which aligns with how we know the thread actor has tied their shoes. So the way that they go about doing things or naming giving naming structures um like I said still a few daddies there. hoster daddy service daddy. So then I began to perform some roommate background checks. It's always good to figure out, you know, what's going on with your roommates, especially if they're living there. Um Oh, you get to sit right by me, man,

talking to you the whole time here. All right. Um so at first look, the majority of the domains do not appear to be blatantly malicious. Um that is when you're examining them as traditional domains. Um, so their risk score isn't overly high. Servers daddy is popped. It's 100 for the risk score there. Um, but our viral virus total detections are extremely low. The only one of these having any hits is uh hosterdaddy.in. One of 94 is fishing related. Um, so really benign there and kind of stuck. I'm like, all right, what do I do? Um, so then I had to take a look and really try to understand what's going on here. Um, and if you recall how

hosty.net was used, what wasn't showing up as a primary IP address that or a primary domain that was your IOC? Um, it was a name server domain. So then I began to wonder, what if I query all of these domains as name servers individually? If they did it that way once, they probably might they might have done it again. And when I did that, I found that there were over 55 unique name servers um using one of the 12 roommate domains as a primary or name server domain. Um got a bunch of blue 61, so maybe they're football fans. Um at your server's DNS server status popping up. Um we see hundreds of domains resolving to these individual

name servers. Um, in total I had over 2500 domains between the 55 unique name servers that were um using one of the roommate domain names for its uh name server domain. Um, but yeah, Service Daddy Service DNS um or your service DNS, excuse me, showing up um quite frequently here within that group. Um, so then I started to look at we have all these domains. Have these domains been flagged by different vendors or services as being malicious here? And we can see a very steady pattern. Um, much higher risk score than what we were seeing in the other ones. And then also detections. Um these domains a thousand over a thousand of the domains had been flagged for malware

distribution uh fishing spyware fraud etc. Um so a variety of activities um a couple of domains and they're actually some of the more recent ones which really interests me. Uh the top one USLUCSM um high score recent detection uh that actually diving into and researching that it was imitating a Turkishbased company that is in steel manufacturing and delivery. Um so that matches with both their targeting of um Middle Eastern entities and also with kind of high level industry. Uh we also saw the targeting of right below it a typo squad on Hallebertton. Um if you're not aware uh Hallebertton is American multinational corporation world's second largest oil service company obviously that's going to be of concern um within

the region and then they're responsible responsible for most of the world's fracking. Um so very interesting targeting scene with Hallebertton showing up. Um and then although I can't contribute you know attribute this uh activity to muddy water with confidence um or specific Iran nexus activity um you know the targets of those two domains show align with you know prior industries and regions that are frequently targeted by the threat actor. Um so definitely something of use to go there. Um, other than that, we saw some, you know, scanning with, we saw login related domains. Um, just a little bit of everything within the naming structure. Um, just pulled out some of the ones I truly liked. Uh, but almost

all of them popped pretty high with scores there. All right, I talked way quicker than anticipated today, but got a few more. Um, so kind of my takeaways here. Uh, so we started with four malicious domains. uh we identified a single unique name server uh being used by those of hostdaddy.net. Um from that we looked at the host daddy IP and identified 12 other domains sharing that same IP address. um obviously on their own treated as you know uh traditional domains if you will they appeared fairly benign but then when we looked at them as hosting or as um name servers we found 55 unique name servers there and resulted in 2500 plus domains and

counting probably gone up since I've last looked um but what does this mean you can use that infrastructure to help secure against this potential threat um proactive monitoring or blocking for activity related to those domains or with domains using those specific name servers etc. Um research takeaway something I always talk about is everyone has a pattern tying their shoes. Um if I ask anyone in here to put their shoes on whether you know I give them just about any pair of sneakers they're going to tie that knot the same way as you know each time. May not be the way I do it may not be the way he does it. Um, but we're going to

tie shoes a certain way each time. It might even be the pattern of which foot do you put the shoe on first. Um, thread actors have this when they're setting up their malicious infra infrastructure. They have these unconscious habits that they either set up or do um or things that they just find work well for them and they continue to do it. Um, when pivoting on a unique data point, um, something to consider is how does the actor like to tie their shoes? Um so when I was pivoting on those 12 roommates um at first I didn't think about the way I would have used the domains um or at first I did think about

it. Instead I should have been thinking about what is the way the threat thread actor uses them and that was in the name server sense. Um but always look for kind of unique data points that show up in that same location as well. Um other takeaway domains are multi-dimensional right. Um, so tendency when we're looking at domains is just to treat them as an uh traditional URLs to a web server. Um, but domains show up everywhere in within registration data, passive DNS. You might see them in name servers or mail exchanger records, uh, SOA records, um, email addresses and registration. You see domain showing up in SSL serves everywhere. Um, so when you are investigating domains or really trying

to dig in, begin to look at, you know, how is it set up? Um, how have they been used by this group, this entity in the past? Um, and then sometimes if you just don't get hit on the domain, query it another way. Look at it from the email domain perspective. And lastly, um, always ask the question, who's your daddy? And had some of my favorite TV dads. I don't think any of them are overly offensive in this one. Some of them you have to be careful with, but um and then if you want to reach out to me, there's my email there. Very complicated a Northcut. Um and then lastly, our pledge