Finding the unknown unknowns, part 2 (unc3707)

Oct 28, 2024 by StrikeReady Labs 6 minutes

TLDR: Checking in on unc3707’s recent campaigns

Many customers come to us in search of a solution to their threat actor tracking problems, and need a platform to help operationalize a solution. They may know how to generally describe a threat group or an investigational technique, but not quite how to code it up in a way that will benefit the rest of their tools.

Today we’ll describe three simple but related pivots, which help us track both particular groups, as well as unknown but interesting ones.

  1. Where else have I seen this exact same malicious content?

  2. What other domains exist on the same IP?

  3. What other domains exist in the same neighborhood as the IP?

We’ve talked previously about passive dns, as well as domain discovery by ssl cert tracking, and you’re encouraged to read that post to understand those foundational techniques. We also previously talked about three generic hunt techniques in this post.


For the larger analytics exercise, a “related domains” concept we’ll examine is “domains that exist in the same IP neighborhood, and that contain particular keywords”. It’s useful to broadly understand IP allocations across a range of internet services. For these examples, we’ll focus on IPv4, since the intentional usage (as opposed to incidental usage) of IPv6 is still rare with targeted threat actors.

  • Large hosting providers may have many low volume domains on a single IP address, so it would not be strange to see hundreds or thousands of active websites being served off a single IP, especially if they are throw-away type domains.

  • People who purchase a VPS (a slice of a real server) are generally one dedicated IP address, but never more than that for the cheapest plans --- which is what threat actors usually buy, since they're mostly ephemeral

  • People who purchase a server are generally allocated a /29, which provides 5 or 6 usable IP addresses (a broadcast, gateway, and a network IP, plus 5 more). These 8 IPs are sequential.

  • People who start a colocation center (a “colo”), or are just starting an ISP, are allocated IPs in a /24, which provides ~255 IP addresses, again, sequential. This could be someone who purchases a “cage”, which is a physical footprint surrounded by chainlink inside a commercial data center.

If one were looking at a particular domain, they would want to have a quick glance and understand if there is a high or low volume of domains on a particular IP, which is one indication that the IP is solely used by the attacker (such as by a dedicated server or VPS), or if it is a shared hosting environment instead. Keep in mind that just because a domain is pointing to an IP, doesn’t mean that it is actually hosted there --- attackers often point their domains at legitimate services to easily increase the reputation of their domain as they “age” it, like a fine wine. Like wine eventually needs consuming, malicious domains will be activated at some point, and these techniques can detect them before usage.


Upon examining the below phish on ukr-setting.com, one will notice a common template used by a particular suspected Russian APT group, unc3707. Analysts want to know those three things mentioned above, preferably without asking for it.

Let’s break it down.

Initial phish

Where else have you seen this exact same phish content?

There are many ways to answer the question, “where else have you seen 2d6c45eeaa14ba77d75d8eb15bd6d442538062788cbb205c9849a59cece77fe7?” You could use virustotal, you could use silent push, you could use censys, you could use strikeready’s internal data --- or some combination of many free or premium services --- we can aggregate and correlate them all, to help you answer “where else has the response hash been 2d6c45eeaa14ba77d75d8eb15bd6d442538062788cbb205c9849a59cece77fe7"

Initial phish

URL

IP

ASN

Registrar

notes

uukkrr.net/files/

82.221.139.160

AS50613

internet.bs

kinoafisha.ua.ukrrr.com/files/

82.221.141.126

AS50613

internet.bs

seukr.net/files

82.221.139.160

AS50613

internet.bs

xfiles-uk.net/files/

82.221.128.183

AS50613

internet.bs

mulder and scully not impressed

ukr-setting.com/files/

82.221.141.126

AS50613

internet.bs

Figure 3: domains serving identical content

What other domains exist on the same IPs, 82.221.139.160, 128.183, 141.126?

Domain

First Seen

Domain Creation

Registrar

alightcruellane.net

2023-05-12

2023-05-12

internet.bs

scallopsflippant.com

2023-09-27

2023-09-27

internet.bs

ukrrr.com

2024-09-26

2024-09-25

internet.bs

ukr-setting.com

2024-09-13

2024-09-12

internet.bs

Figure 4: other domains on the same IP

We can notice four recent domains on 82.221.139.160, all with the same registrar. However, when you combine registration date, and first time seen on the IP, and style, we can only currently associate one other domain, ukrrr.com

If you were to repeat this process for the other IPs listed, you could find obviously related domains like ukr-passc.netand accsua.com.


Attackers often need to set up multiple domains for a given campaign, sometimes a handful, sometimes hundreds, so naturally patterns will emerge, such as with registrars, hosting providers, etc.

If you were an astute observer of numeric patterns, you might notice: whoa, those numbers all start with 82.221, and they are all registered at internet.bs, what are the chances? This is a good observation, and we initially thought that combination would be a rock solid set of parameters to pivot on, but it ended up only being partially valid. As it turns out, the domains were created by customers of orangewebsite.com, a hosting provider that prides themselves on anonymity. So while there is abuse, there are also many legitimate domains.

So that being said, it’s useful to highlight an attribute that has been a useful indicator in the spectrum of suspiciousness over the past 15 years. That indicators is route announcements which have only one upstream. We have found it a useful, but not definitive, way to highlight particular traffic. The good folks at U Oregon provide a free interface to RouteViews if you don’t have easy access to a router to track BGP announcements.

route-views>sho ip bgp 82.221.130.78 | include 50613
  20130 23352 3257 30818 50613
  20912 3257 30818 50613
  3549 3356 3257 30818 50613
  3561 209 3356 3257 30818 50613
  57866 3491 3257 30818 50613
  3257 30818 50613
  ....

Figure 5: routeviews announcement paths of of AS50613

One can notice that there is a single upstream,AS30818. Again, this does not mean it is bad, but it is notable.

So, given that artifact, let’s do a pass through AS50613 to look for any domains that contain the string ‘ukr’. We’ll use the freemium Community version of Silent Push for this (query link).

Domain

Registrar

Domain Creation

ukr-site.com

internet.bs

2021-05-02

ukraine-story.com

internet.bs

2022-03-23

manageukr.net

internet.bs

2023-10-08

data-ukr.com

internet.bs

2023-11-21

ukr-edit.com

internet.bs

2023-11-21

ukr-mail.com

internet.bs

2023-11-21

mail-ukr-net.systems

TLD Registrar Solutions Ltd.

2023-12-26

ukr-net.systems

TLD Registrar Solutions Ltd.

2023-12-26

ukr-reset.email

TLD Registrar Solutions Ltd.

2023-12-26

accounts-ukr.com

internet.bs

2024-01-02

support-ukr.com

internet.bs

2024-01-02

xe-ukr.net

internet.bs

2024-01-09

xh-ukr.net

internet.bs

2024-01-09

localukre.com

internet.bs

2024-01-09

qr-logukr.com

internet.bs

2024-01-14

ukrlocalsystems.net

internet.bs

2024-04-10

ukrmailpost.net

internet.bs

2024-04-10

accsukr.com

internet.bs

2024-05-02

verifukr.com

internet.bs

2024-05-23

ukrstnet.com

internet.bs

2024-06-06

ukrsets.com

internet.bs

2024-06-10

ukrsett.com

internet.bs

2024-06-18

uasetukr.com

internet.bs

2024-07-01

ukr-setting.com

internet.bs

2024-09-12

ukrrr.com

internet.bs

2024-09-25

seukr.net

internet.bs

2024-09-30

ukr-passc.net

internet.bs

2024-09-30

ukr-hub.com

internet.bs

2024-10-08

ukrrbox.com

internet.bs

2024-10-08

Figure 6: other domains matching *ukr* on AS50613

A notable outlier in that list is ukraine-story.com, which does not appear to be related to this campaign. The site pushes Russian propaganda, and only has a handful of public references from Czech-speaking facebook threads. This is a good example of a pivot that can highlight artifacts that may appear solid at first, but cannot be confidently attributed to a group after a bit of analytical rigor.

Initial phish

Vendor

Threat Actor name

Google Cloud (née Mandiant)

unc3707

Figure 8: other vendor validated names, drop us a note to be included

Our github provides a download of the relevant domains mentioned in the blog

Acknowledgements

The authors would like to thank the reviewers, as well as peer vendors, for their comments and corrections. Please get in touch at research@strikeready.com if you have corrections, would like us to use your group name, or would like to collaborate on research.

Related posts

Pivoting through a Sea of indicators to spot Turtles

A blog that describes tracking a targeted threat actor using StrikeReady, passive dns, ssl certificates, and malware analysis.

December 27, 2023 by StrikeReady Labs

6 minutes

Finding the unknown unknowns, part 1

This is the first article in a series about technical hunting wins that are attainable by all SOC teams.

April 20, 2024 by StrikeReady Labs

5 minutes

Don't get BITTER about being targeted -- fight back with the help of the community.

How StrikeReady helped a SOC prioritize alerts triggered by a previously untagged APT actor.

February 29, 2024 by StrikeReady Labs

7 minutes