Unwanted Guests

Uh, four minutes late. We're doing pretty good. Okay. Hope you all grabbed a coffee, stretched your legs, maybe reminded your phone not to connect to random Wi-Fi. Uh, now that we're recharged, it's time to dive into our next eagerly awaited session. Our speaker is the brilliant David Brun, a renowned threat researcher from Infoblocks. David is a master of threat intelligence and DNS, the infamous glue that holds the internet together. Or if you're on Reddit, it's always DNS's fault. Uh probably the reason most of us can still check our email Monday mornings. In his talk, Unwanted Guests, David will reveal how crafty attackers exploit compromised or poorly configured infrastructure from hijacked domains to everyday gadgets turned malware hosts to

pull off their digital heists. If you've ever wondered what mischief happens under the surface when things go wrong, David's got the stories and strategies you need. So, please join me postcaffeinated and full of curiosity and welcome David to the stage. Folks, thanks for joining me today. My pleasure to be here to talk about unwanted guests. This is a presentation on understanding the ecosystem of exploited infrastructure. Uh my name again is David Brunston. Uh I'm a threat researcher at InfoBlocks and I uh research in DNS hunting threat actors all day every day. Today um we're going to talk about several different things, but I want to first start with a brief summary of some of the threats

that we're seeing. Uh and then we're going to move into some domain hijacking. uh specifically talking about dangling records and an attack called sitting ducks. Uh we're going to talk about a botnet that we've been monitoring and that botnet um is known as REM proxy on Russian cyber crime forms and then that is going to lead us directly into the compromised websites that are being abused for um Stella stealer malware distribution. Um, and that uh involves two uh threat actors working together. One that we've just recently identified in research that we released on Tuesday uh known as decoy dog and uh the IBM designated hive 0145. Uh and I just want to say that um this

in this research is uh done by myself but also members of the uh infoblock threatened health team as well as uh researchers that we've collaborated with such as uh GoDaddy Security uh Lumen's Black Lotus Labs and IBM Ex-Force. And at the end there will be a QR code that you can scan and that'll have uh that'll go to a GitHub that has u links to all the research involved with this presentation. So right off the start uh infostelers are kind of the current hotness and they've been the current hotness for a while with regards to to malware infections. There's lots of different ones out there, lots of different flavors. Um the one we'll be talking

about mostly is Stella Steeler. That's a really narrow one. Uh most of mostly it it targets um the passwords in Microsoft Outlook and Thunderbird. Uh we also track other info steelers as well. Lumis stealer is a really popular one right now. Um that one's much more broad. um getting all sorts of passwords um files in uh user folders and um cookies and and so forth. Um Infos Steelers has have a big ecosystem right now. Um you can uh they're collected in logs but then they're aggregated and um sold. So buyers of of info steeler logs will will be buying specific things like for example EC2 um login or Netflix login or passwords to uh WordPress sites which is

something that we'll be getting to later. And then um info steelers of course are self-perpetuating. they lead to more compromise uh such as ramp ransomware. The other threat that I want to make sure people understand a lot about is is what's known as traffic distribution systems or TDS. Um they're not necessarily bad. Um they can be used ethically and I'm sure that that's how they were originally designed. Uh traffic distribution systems are a component of adtech and and the purpose of them is for profiling your traffic and redirecting you to the most relevant location. Um so what happens is um they're a component of adtech where where um publishers will bid on your particular piece of

traffic. One example could be like let's say you've got an Android app and you want to target advertisements to just users of Android. You don't want to spend money um advertising to iOS users, for example. That would be a great example of a legitimate use of a traffic distribution system. Um another feature of them is they filter out bot traffic which has no value to advertisers. Um, this is the only slide where I refer refer to traffic distribution systems in a non-malicious way. Um, this legitimate use is is certainly not on my radar. I'm I'm introduced I'm intro interested in uh traffic distributions used in a malicious way. So, malicious traffic distribution systems uh appear as uh often appear as

legitimate or pose as legitimate advertising networks. And instead of profiling buyer buyers, uh they're they're looking for victims. So um infrastructure um uses two primary techniques. Um they is a combination of of redirections and cloaking. When you go through a traffic distribution system, it can be a very jarring experience because of the cloak nature of it. you don't really know where you're going to end up. Up at the top, affiliates operate as uh uh traffic sources. So, traffic sources for a malicious traffic distribution system could be um uh push notifications, which of course we we we never accept or um hacked websites or advertising space on questionable websites like pirating sites and so forth. uh at the uh other side of it at the

bottom we've got affiliates who purchase traffic for their malicious landing pages and then additionally the traffic distribution set uh the TDS will send undesirable traffic to decoy pages or legitimate sites. There's a variety of threats that a traffic distribution system a malicious one can lead you to. um in a sense they've they've become uh a threat distribution system. Uh I I won't be going over all of them, but uh for an enterprise certainly a concern would be info steelers. Meanwhile, on the consumer end, we s see a lot of fake antivirus or even legitimate antivirus where a push notification might just start hammering your phone and saying, "Hey, you might have a virus." Or, "Hey, you do have a

virus." And then they just send you to Macaffy where you purchase it and they get a commission.

All right, let's begin with some um domain hijacking examples. So, uh domain hijacking in a sense is quite simple. It's stealing another person's domain and there's several techniques available. Uh a real simple example is if you can get access to somebody's registar or DNS settings then you can redirect those settings to your own uh malicious infrastructure. Uh a more uh uh easier to or harder to detect method would involve something called domain shadowing. And domain shadowing would be like instead of compromising the entire domain, you would either create or um take over an existing subdomain for that domain. And that's really useful if you want to launch an attack on your organization. So I take your subdomain

and I create a fishing email. And that fishing email appears to have a legitimate link in it because it's got your own domain in it, but it's got an attacker controlled subdomain. And so that email could come from a fake IT department that says, "Hey, please go install this Chrome update." And in fact, they've been misled through um a hijacked subdomain. Uh dangling records is another um form of um or an opportunity for compromise. Uh when you look at DNS, it's really a system of of records that point to resources. And so if you have records that point to resources that are non-existent, that's called a dangling record. And in that kind of situation where a record is pointing to, for

example, an IP address that's not there, a mail server that's not there, a CNAME that's not there, an attacker has an opportunity to put something in that location and then suddenly your DNS record is pointing at their resource. So, um, earlier this year, um, if you had searched for websites under the CDC, you would have found a variety of adult content as well as some, uh, sports stuff. And so, I put an image of the sports stuff there. Um, this was an example of a a CNAME, um, a dangling C name. In this case, these CNAs were pointing at um cloud resources. So um the thread actor was able to identify a bunch of cloud

resources at the CDC as well as other organizations like um Panasonic, Bose and Rockwell Automation and they they found that these cloud resources were dangling. So they put um cloud resources at the cloud providers, created accounts there, created resources at the same address and suddenly they were able to redirect um that content into traffic distribution systems which lead to a variety of threats. So that forms a a traffic source for these traffic distribution systems which allows them to monetize hijack domains.

Uh another type of uh domain hijacking comes from sitting ducks attacks. And a sitting ducks attack is um a a type of attack that takes advantage of uh information where the the name server in um the registar is is pointing at a external uh DNS server and that server is no longer configured. In order to pull off a sitting ducks attack, there are a couple um stars that need to be aligned. You can't do this with every domain. You need to have a lame delegation on the domain and an exploitable DNS provider. So, what's a lame delegation? That's a situation where the DNS server is designated as authoritative for a domain but does not have the proper

information to answer queries for that domain. Let's go through an example now. So a company registers brand.net and brand.com and the company points the name server records to uh of those domains to a DNS provider, an external DNS provider. The company configures Brand.com at the DNS provider, but they they don't configure Brand.net. So, because of this, Brand.net is considered a lame delegation. It's pointing to DNS records at a DN external DNS provider that aren't there. Uh, this kind of mistake is pretty easy to do. So um and I understand a lot of organizations uh have track of even keeping track of how many domains they own. So there's a lot of opportunity for this out there.

So let's go over that u steps again. Uh the hardest thing for me to learn about um this type of attack was how easy it was to accomplish. So what you have to do or what the attacker does is is they look for these vulnerable domains that have been designated as lame. Then they go to the DNS provider and they create accounts of that DNS provider and they add that vulnerable domain to their account. From there they just have to add uh resource records um so that those domains now point to malicious IPs and the victims get routed to malicious services. This is an example of it in the wild. So up at the top we have a a domain that

was parked at Digital Ocean. then um it had likely something happened where the uh owner of the do domain um lost their account or closed their account at the DNS provider but they didn't update their records and then you can see that um the IP address was changed to a 193 address which um is located in Russia and that IP address held there for a couple months at which point the threat actor we designated ated as vacant viper uh returned that domain uh and and returned it back to a lame delegation and that then a second thread actor came along uh known as vextrio and they um did the same thing. They took that record and

they they used it for their own purposes and they returned it. So we call this the lending library technique where they uh where you take a book, you read the book and you return it back to the library except they're using it with uh your domains. Um this report was reported on previously. Uh what we did was we demonstrated that this effect in fact was going on at scale and that's what our reporting brought to to this. Um, it's true that most of this activity has a Russian nexus and that's because it's been reported on uh previously in Russia quite extensively and it's been not reported on here as much so far. Um, first of all, I should say

you can't do this with every DNS provider. We've identified some specific DNS providers that you can use to perform sitting ducks attacks on. Um, digital ocean was one example that we gave before and so far uh we've identified over 35,000 uh domains that have been hijacked using this technique.

Another example of a thread actor that uses this specific technique uh is an actor that that uses sitting ducks attacks to take domains and then they run ads on Facebook with those hijacked domains. And those uh ads on Facebook, you're going to see a pattern here. They redirect people into traffic distribution traffic distribution systems to monetize that traffic and simultaneously people are redirected to threats. Uh and this threat actor um uses a couple uh DNS providers that we've identified um Lenode, TRNet, and A2 hosting. So what can you do as a domain owner? Well, um there's one thing you can do and then there's a couple things that other people can do like the registar

and um so forth. uh as a domain owner uh you should make sure that you don't have any lame delegations and if you do uh you should direct those um DNS settings um to a a dummy address or a placeholder address or something under your control so that it's not pointing at the DNS provider that you no longer have an account at. Alternatively, um some DNS providers are simply naturally better at resisting this type of attack. Um, Cloudflare as an example, when it provides you name servers, it gives you two name servers. You don't get to pick them. There's two people's names and this has a natural hardening against this type of attack. Uh, alternatively, a registar could

could look for lame delegations and automatically modify those uh, name server records to placeholders instead. Uh, now let's move on to to uh, compromised infrastructure. Uh I mentioned before there's a a botnet that we've been tracking uh known as REM proxy and and just in general botn nets can be a real pain in the neck for defenders. There's reasons why they're so popular. Um what we've see in general is that they're used as a proxy network to enable all sorts of cyber crime. Uh this in turn allows them to hide their activity uh behind routers that are installed in home offices or offices or homes. Uh it allows DDoS attacks uh password brute brute force type attacks

like credential stuffing um malpam which is how we've been tracking this botnet and and click fraud. So our investigation into this began with a single email and from that single email uh we uh identified uh over 60,000 similar emails. Um and and what was really weird was that all of these emails when we looked at the SMTP address of the of the sender of these emails, they came from uh over 13,000 different IP addresses. and going on to places like Shodden and stuff, we investigate what's going on here and and we found a consistent theme that that these were all microtick routers that were the SMTP servers for um all of these emails. Uh if the

threats were coming from behind the routers, we would have seen a variety of different routers. There would have been Netgear, TPLink, ASUS routers, and we just did not see that. And then also adding to this confusion was the fact that um these domains were being sent by approximately 20,000 different domains. So a huge variety of domains including the world's largest uh beverage company uh were involved with this. Um and and we identified that a trend in these domains was a simple misconfiguration in DNS that allowed these domains to be spoofed. So to understand this simple misconfiguration, you're going to have to understand what SPF is or sender policy framework. Uh so what what is SPF? Well, if a email is

received, uh, we better to check and see if that email has been spoofed. The mail server at that time will make a DNS request for the text records of the purported mail server. And if configured, this will contain the domain's SPF records. And those SPF records indicate what servers can mail on behalf of that domain and how to handle emails that come from elsewhere. So, what went wrong? Well, we identified a simple typo in all 20,000 of those domains that instructed mail servers to allow all SMTP servers to mail on behalf of the domain. So, a good SPF record is right there, right? It says uh include example.com and then in that case, it's a soft deny all. So, soft deny everybody

other than example.com. All of these domains had it wrong. Include example.com and everyone else. Here's an example of a sample of the domains. Uh you can see in each row they each include they're they're written a little differently, but in each row you'll see that plus all consistently down the row. This is an example of what that email was that we got 60,000 of sent out. Uh real simple email. We've probably seen it all before. Uh this spoofing uh or pretending to be DHL. It contained a simple JavaScript file that in turn decoded a a PowerShell script that ran a a reverse cell shell connection to the C2 server. This particular IP address exists in

what I would call a disreputable part of the internet. Uh if you are into cyber threat at all, you're probably sick of hearing about Stark Industry. I know I am. Um this uh ASN is downstream of Stark Industries, meaning that to get to the greater internet, uh we have to go through Stark Industries. And and today though, of course, Stark Industries got in a little trouble. So we now um they've kind of been rolled into to uh perfect quality hosting. It's also worth mentioning that microtick routers uh have been identified previously in uh DDoS uh attacks on Ukraine. Uh there's no need to claim that there's a zero day involved with this particular attack. There's plenty of reasons to or

ways to justify it without it. Um, microtick routers have historically shipped um with a uh default admin and blank password. Um, and the um there's buffer overflow attacks and exploits available online that can be downloaded. So, not necessary to to uh assume a zero day is involved here. And so if your router's compromised, it's now a product that's available for purchase on Russian cyber crime forums. Um, and and this was reported on by uh Lumen's Black Lotus Labs, who explains the malware that's been used in uh these routers. Uh, I found it really interesting that what they noticed was the most notable use of this uh botnet was brute forcing WordPress sites. um which comes into play later.

So um we keep monitoring this botnet. We keep looking for that signature I've been talking about being sent by um IPs that we've got identified using this SPF misconfiguration. And in tracking this, we uh noticed over the summer, starting in June, a campaign involving uh the sending of of SVG files out. Uh SVG files are scalable vector graphics. They're kind of like a vector graphic um or a graphic file that has JavaScript uh in it, which kind of sounds bad. Uh and um while researching this, IBMX Force came out with a great analysis of the malware that's involved here. So essentially this is a Stella stealer malware campaign, an info steeler campaign. Um and it has two malware

pieces involved with it. There's a a a downloader called Starfish that they designated as Starfish. And so the malware infection um from the email leads to starfish and when you're infected by starfish that reaches out to their C2 server which um does a couple checks and then infects you with strellis dealer. Uh this campaign was easy to identify because it uses this uh it calls out to a variety of different domains and it's distinguished by this u equals script parameter. Uh once you open that attachment, you then um begin the next stage of the malware infection where um you begin to download the um the starfish downloader and that's indicated as well by this seemingly random domain and then the U

equals file parameter. And this takes us into the compromised websites where um from here we were able to identify many many websites involved with this campaign. Uh one open source way you could look into this is using URL scan and searching for this U equals script parameter. And this takes us to our new thread actor which we uh recently designated as um Detour Dog. And Detour Dog is um responsible for orchestrating this campaign for Hive0145 behind the scenes. So the malware itself points to a series of compromised domains and those domains are not actually where the malware is stored. And this is all a bit of a threecard Monty game orchestrated by Detour Dog. There's two things going on

here. There's a malware campaign leading to Stella Stealer and separately these websites are compromised so that when you visit them there's a chance you will be redirected into a traffic distribution system. We've identified over 30,000 domains, WordPress entirely WordPress sites that have been compromised by Detour Dog. And most visitors, including the site owners, are not going to notice anything when they visit the site. Here's how it works. The victim's going to make a get request to one of these compromised domains and behind the scenes that compromised website. This is the compromise is going to make a serverside DNS text record request to a detour dog authorative authoritative DNS server. And it's formatted in a very particular way.

It's got the domain that you're visiting, the IP address of the visitor, a random number, an identifier related to the device that's being used. NA in this example, we think means Android. There's NI, we think that means iPhone or iOS. There's NW, we think that means Windows. and then the domain that's controlled by detour dog. So every site visit initiates this request for C2 from the detour dog controlled DNS server and detour dog is going to respond in one of three ways to that request. 90% of the time based on the data that we've analyzed that response says don't do anything. That means the site loads normally. Okay. So detour dog is going to respond with an err encoded in base

64. That instruction in the compromise means the site does nothing. However occasionally the response is formatted as a URL and this the compromised website is going to perform a redirect uh a 302 redirect to that domain. That's the entrance into the traffic distribution system. And then third and rarest is the response will begin with the expression down. This is related to the U equals script or U equals file parameter seen in malware. So when malware accesses the system instead detour dog is going to respond something like downhttp update msdns server.com script.php and what happens is the compromised website is going to strip the word down. It's going to use curl on the remaining string and it's going to

pass the output to the malware. This is an example of the flow that um takes us through to the compromised from the compromised site to the funnel that operates or that is controlled by detour dog that acts as a gateway into the traffic distribution system. From there, they hit something called Help TDS, which uh is an unknown actor um that loves tech support scams. And if you don't get a tech support scam, then you're going to act as a tra uh a traffic source for an additional TDS, which could lead to other badness. Let's see what happens when uh help TDS picks you up. This is what happens. a full screen priming of the victim. So immediately

this pops up and the victim essentially forgets what they were doing and starts cursing their operating system. It doesn't matter what they click whether they're probably not going to click restart, they're probably going to click close, but either way they're thinking about something else right now. This is when the tech support scam begins. So, you've got Peta, you've got Emoteet, and you've got a solution. You can call that number right there. Do not call that number. Um, they're going to try and get remote desktop into your system. I'm going to guess they're going to try and install an info stealer on your computer. They're going to open up event viewer. They're going to point at whatever red X

they can and tell you you've got serious problems. And they're going to rope you into some kind of of payment scam. And this just shows that that um this domain um is is a a part of help TDS and all of this content is stored directly on help TDS. Uh this directly implicates the operators of help TDS as per perpetuating the tech support scams. Skip that one. I wanted to to focus on this one right here. Uh I told you about there's two threats we talked about the direction to TDS. This is the orchestration behind the scenes done by detour dog with regards to the Stella stealer malware campaign. So on the very left we have the victim.

On the far right we've got the Stella C2 server. We've got two compromised sites in blue. And in the middle is detour dogs DNS server which is controlling the compromised sites. So the yellow Stella C2 server that's going to be that's going to be controlling the victim's PC. That's the C2 server. But we've got two C2 servers here. Detour dog is controlling the compromised sites. So the victim opens a SVG file. It calls out to the infected domain using the U equals script parameter. Compromised site number one makes a DNS text record request to the C2 server via DNS. This includes a type identifier and detour dog responds with a down http update msdnserver.com script.php.

So what does the compromised site do? It goes to the Strella C2 server. It downloads the malware stage. So the compromised site goes and fetches the malware stage and it relays it back to the victim. This hides the activity uh and it makes it look like the compromised site is the one that's providing the malware.

At this point, the c the the victim receives a download button and they click that download button and that initiates the second uh call out. This time using the U equals file parameter and that goes to the second compromised domain and this procedure kind of repeats itself. The second compromised domain sends a similar DNS text record to the D2 dog C2 server in the middle there. It again responds with one of those down commands. This time pointing to the file.php endpoint in the Strea C2 server. Uh and again the compromised site strips the prefix initiates another curl request to the Strella C2 server and this time receiving a file in their response and they pass the uh payload um to the

victim. Um it's a WScript uh fi a Trojan and that's the starfish downloader and here we are at the final stage uh the domain we've been talking about update MSDN server it's a Microsoft lookalike of course start what starfish does it initiates a get request to that server provides a little bit of details in there computer name time stamp and a UU ID Uh what the the starfish server makes that request. The C2 server responds with an okay and then uh it installs some persistence in the form of a registry key. It adds uh starfish uh to launch on startup. The second thing that needs to happen at this point is a screen capture needs to

occur otherwise it goes no further. And then the final stage is that Strellis dealer is deployed and the credentials are exfiltrated to that server to the up to.php endpoint. And the big thing here is that researchers are led to believe that the malware was hosted on those compromised sites. And so all of those compromised sites uh appear in for example virus total. You look at virus total it's pointing to the compromised sites not the stella stealer C2 server. So I wanted to leave you with a few takeaways. Uh please harden your infrastructure. We we don't need to presume zero days are are the reason why these things are happening. Um, Microick in particular has historically not

shipped with secure by default features. Um, and WordPress sites are are not inherently bad. They're just really popular. And recognize that auditing your DNS records is important. Um, you know, misconfigured SPF records can expose your domain to spoofing and dangling records will lead to compromise. So make sure you do routine audits u and ensure everything is resilient and trustworthy and understand DNS because this protocol is foundational to both both offense and defense and cyber security. Thank you very much.