TLDR: Checking in on unc3707’s recent campaigns
Many customers come to us in search of a solution to their threat actor tracking problems, and need a platform to help operationalize a solution. They may know how to generally describe a threat group or an investigational technique, but not quite how to code it up in a way that will benefit the rest of their tools.
Today we’ll describe three simple but related pivots, which help us track both particular groups, as well as unknown but interesting ones.
-
Where else have I seen this exact same malicious content?
-
What other domains exist on the same IP?
-
What other domains exist in the same neighborhood as the IP?
We’ve talked previously about passive dns, as well as domain discovery by ssl cert tracking, and you’re encouraged to read that post to understand those foundational techniques. We also previously talked about three generic hunt techniques in this post.
For the larger analytics exercise, a “related domains” concept we’ll examine is “domains that exist in the same IP neighborhood, and that contain particular keywords”. It’s useful to broadly understand IP allocations across a range of internet services. For these examples, we’ll focus on IPv4, since the intentional usage (as opposed to incidental usage) of IPv6 is still rare with targeted threat actors.
-
Large hosting providers may have many low volume domains on a single IP address, so it would not be strange to see hundreds or thousands of active websites being served off a single IP, especially if they are throw-away type domains.
-
People who purchase a VPS (a slice of a real server) are generally one dedicated IP address, but never more than that for the cheapest plans --- which is what threat actors usually buy, since they're mostly ephemeral
-
People who purchase a server are generally allocated a /29, which provides 5 or 6 usable IP addresses (a broadcast, gateway, and a network IP, plus 5 more). These 8 IPs are sequential.
-
People who start a colocation center (a “colo”), or are just starting an ISP, are allocated IPs in a /24, which provides ~255 IP addresses, again, sequential. This could be someone who purchases a “cage”, which is a physical footprint surrounded by chainlink inside a commercial data center.
If one were looking at a particular domain, they would want to have a quick glance and understand if there is a high or low volume of domains on a particular IP, which is one indication that the IP is solely used by the attacker (such as by a dedicated server or VPS), or if it is a shared hosting environment instead. Keep in mind that just because a domain is pointing to an IP, doesn’t mean that it is actually hosted there --- attackers often point their domains at legitimate services to easily increase the reputation of their domain as they “age” it, like a fine wine. Like wine eventually needs consuming, malicious domains will be activated at some point, and these techniques can detect them before usage.
Upon examining the below phish on ukr-setting.com, one will notice a common template used by a
particular suspected Russian APT group, unc3707. Analysts want to know those three things mentioned above,
preferably
without asking for it.
Let’s break it down.
Where else have you seen this exact same phish content?
There are many ways to answer the question, “where else have you seen
2d6c45eeaa14ba77d75d8eb15bd6d442538062788cbb205c9849a59cece77fe7?” You could use virustotal, you could use silent
push,
you could use censys, you could use strikeready’s internal data --- or
some
combination of many free or premium services --- we can aggregate and correlate them all, to help you answer
“where
else has the response hash been
2d6c45eeaa14ba77d75d8eb15bd6d442538062788cbb205c9849a59cece77fe7"
|
URL |
IP |
ASN |
Registrar |
notes |
|---|---|---|---|---|
|
|
|
AS50613 |
|
|
|
|
|
AS50613 |
|
|
|
|
|
AS50613 |
|
|
|
|
|
AS50613 |
|
mulder and scully not impressed |
|
|
|
AS50613 |
|
Figure 3: domains serving identical content
What other domains exist on the same IPs, 82.221.139.160, 128.183, 141.126?
|
Domain |
First Seen |
Domain Creation |
Registrar |
|---|---|---|---|
|
|
2023-05-12 |
2023-05-12 |
|
|
|
2023-09-27 |
2023-09-27 |
|
|
|
2024-09-26 |
2024-09-25 |
|
|
|
2024-09-13 |
2024-09-12 |
|
Figure 4: other domains on the same IP
We can notice four recent domains on 82.221.139.160, all with the same registrar. However,
when you
combine registration date, and first time seen on the IP, and style, we can only currently associate one
other domain,
ukrrr.com
If you were to repeat this process for the other IPs listed, you could find obviously related domains like
ukr-passc.netand accsua.com.
Attackers often need to set up multiple domains for a given campaign, sometimes a handful, sometimes hundreds, so naturally patterns will emerge, such as with registrars, hosting providers, etc.
If you were an astute observer of numeric patterns, you might notice: whoa, those numbers all start
with
82.221, and they are all registered at internet.bs, what are the
chances?
This is a good observation, and we initially thought that combination would be a rock solid set of
parameters to
pivot on, but it ended up only being partially valid. As it turns out, the domains were created by customers
of
orangewebsite.com, a hosting provider that prides themselves on anonymity. So while there is
abuse, there
are also many legitimate domains.
So that being said, it’s useful to highlight an attribute that has been a useful indicator in the spectrum of suspiciousness over the past 15 years. That indicators is route announcements which have only one upstream. We have found it a useful, but not definitive, way to highlight particular traffic. The good folks at U Oregon provide a free interface to RouteViews if you don’t have easy access to a router to track BGP announcements.
route-views>sho ip bgp 82.221.130.78 | include 50613 20130 23352 3257 30818 50613 20912 3257 30818 50613 3549 3356 3257 30818 50613 3561 209 3356 3257 30818 50613 57866 3491 3257 30818 50613 3257 30818 50613 .... |
Figure 5: routeviews announcement paths of of AS50613
One can notice that there is a single upstream,AS30818. Again, this does not mean it is bad,
but it is
notable.
So, given that artifact, let’s do a pass through AS50613 to look for any domains that contain the
string
‘ukr’. We’ll use the freemium Community version of Silent Push for this (query
link).
|
Domain |
Registrar |
Domain Creation |
|---|---|---|
|
|
|
2021-05-02 |
|
|
|
2022-03-23 |
|
|
|
2023-10-08 |
|
|
|
2023-11-21 |
|
|
2023-11-21 |
|
|
|
|
2023-11-21 |
|
|
|
2023-12-26 |
|
|
|
2023-12-26 |
|
|
|
2023-12-26 |
|
|
|
2024-01-02 |
|
|
|
2024-01-02 |
|
|
2024-01-09 |
|
|
|
|
2024-01-09 |
|
|
|
2024-01-09 |
|
|
|
2024-01-14 |
|
|
2024-04-10 |
|
|
|
|
2024-04-10 |
|
|
|
2024-05-02 |
|
|
|
2024-05-23 |
|
|
2024-06-06 |
|
|
|
|
2024-06-10 |
|
|
|
2024-06-18 |
|
|
|
2024-07-01 |
|
|
2024-09-12 |
|
|
|
|
2024-09-25 |
|
|
|
2024-09-30 |
|
|
|
2024-09-30 |
|
|
2024-10-08 |
|
|
|
|
2024-10-08 |
Figure 6: other domains matching *ukr* on AS50613
A notable outlier in that list is ukraine-story.com, which does not appear to be related to
this
campaign. The site pushes Russian propaganda, and only has a handful of public references from
Czech-speaking
facebook threads. This is a good example of a pivot that can highlight artifacts that may appear solid at
first, but
cannot be confidently attributed to a group after a bit of analytical rigor.
|
Vendor |
Threat Actor name |
|---|---|
|
Google Cloud (née Mandiant) |
unc3707 |
Figure 8: other vendor validated names, drop us a note to be included
Our github provides a download of the relevant domains mentioned in the blog
Acknowledgements
The authors would like to thank the reviewers, as well as peer vendors, for their comments and corrections. Please get in touch at research@strikeready.com if you have corrections, would like us to use your group name, or would like to collaborate on research.