• Skip to primary navigation
  • Skip to main content
  • Skip to footer

Cisco Umbrella

Enterprise network security

  • Contact Sales
  • Login
    • Umbrella Login
    • Cloudlock Login
  • Why Us
    • Why Cisco Umbrella
      • Why Try Umbrella
      • Why DNS Security
      • Why Umbrella SASE
      • Our Customers
      • Customer Stories
      • Why Cisco Secure
    • Fast Reliable Cloud
      • Global Cloud Architecture
      • Cloud Network Status
      • Global Cloud Network Activity
    • Unmatched Intelligence
      • A New Approach to Cybersecurity
      • Interactive Intelligence
      • Cyber Attack Prevention
      • Umbrella and Cisco Talos Threat Intelligence
    • Extensive Integrations
      • IT Security Integrations
      • Hardware Integrations
      • Meraki Integration
      • Cisco Umbrella and SecureX
  • Products
    • Cisco Umbrella Products
      • Cisco Umbrella Cloud Security Service
      • Recursive DNS Services
      • Cisco Umbrella SIG
      • Umbrella Investigate
      • What’s New
    • Product Packages
      • Cisco Umbrella Package Comparison
      • – DNS Security Essentials Package
      • – DNS Security Advantage Package
      • – SIG Essentials Package
      • – SIG Advantage Package
      • Umbrella Support Packages
    • Functionality
      • DNS-Layer Security
      • Secure Web Gateway
      • Cloud Access Security Broker (CASB)
      • Cloud Data Loss Prevention (DLP)
      • Cloud-Delivered Firewall
      • Cloud Malware Protection
      • Remote Browser Isolation (RBI)
    • Man on a laptop with headphones on. He is attending a Cisco Umbrella Live Demo
  • Solutions
    • SASE & SSE Solutions
      • Cisco Umbrella SASE
      • Secure Access Service Edge (SASE)
      • What is SASE
      • What is Security Service Edge (SSE)
    • Functionality Solutions
      • Web Content Filtering
      • Secure Direct Internet Access
      • Shadow IT Discovery & App Blocking
      • Fast Incident Response
      • Unified Threat Management
      • Protect Mobile Users
      • Securing Remote and Roaming Users
    • Network Solutions
      • Guest Wi-Fi Security
      • SD-WAN Security
      • Off-Network Endpoint Security
    • Industry Solutions
      • Government and Public Sector Cybersecurity
      • Financial Services Security
      • Cybersecurity for Manufacturing
      • Higher Education Security
      • K-12 Schools Security
      • Healthcare, Retail and Hospitality Security
      • Enterprise Cloud Security
      • Small Business Cybersecurity
  • Resources
    • Content Library
      • Top Resources
      • Cybersecurity Webinars
      • Events
      • Research Reports
      • Case Studies
      • Videos
      • Datasheets
      • eBooks
      • Solution Briefs
    • International Documents
      • Deutsch/German
      • Español/Spanish
      • Français/French
      • Italiano/Italian
      • 日本語/Japanese
    • Security Definitions
      • What is Secure Access Service Edge (SASE)
      • What is Security Service Edge (SSE)
      • What is a Cloud Access Security Broker (CASB)
      • Cyber Threat Categories and Definitions
    • For Customers
      • Support
      • Customer Success Webinars
      • Cisco Umbrella Studio
  • Trends & Threats
    • Market Trends
      • Hybrid Workforce
      • Rise of Remote Workers
      • Secure Internet Gateway (SIG)
    • Security Threats
      • How to Stop Phishing Attacks
      • Malware Detection and Protection
      • Ransomware is on the Rise
      • Cryptomining Malware Protection
      • Cybersecurity Threat Landscape
      • Global Cyber Threat Intelligence
    •  
    • Woman connecting confidently to any device anywhere
  • Partners
    • Channel Partners
      • Partner Program
      • Become a Partner
    • Service Providers
      • Secure Connectivity
      • Managed Security for MSSPs
      • Managed IT for MSPs
    •  
    • Person looking down at laptop. They are connecting and working securely
  • Blog
    • News & Product Posts
      • Latest Posts
      • Products & Services
      • Customer Focus
      • Feature Spotlight
    • Cybersecurity Posts
      • Security
      • Threats
      • Cybersecurity Threat Spotlight
      • Research
    •  
    • Register for a webinar - with illustration of connecting securely to the cloud
  • Contact Us
  • Umbrella Login
  • Cloudlock Login
  • Free Trial
Security

Chasing the Storm

Author avatar of Andrea KaiserAndrea Kaiser
Updated — March 4, 2020 • 4 minute read
View blog >

In this blog, we’ll discuss new tactics used in Hailstorm campaigns. These new tactics include infecting systems with a trojan for sending out spam, and leveraging a single system for hosting a large number of sites in which spam recipients are directed towards.  Investigating one such system, we uncovered 11,769 hostnames with 1,719 domains (2LD+TLD), each of which may serve spam content. 
In this analysis of the campaign we’ll combine a mixture of methods from DNS traffic analysis, malware hunting, and sandbox analysis to expand our coverage.
Below you’ll find sections including:

  1. Traffic Analysis: Looking more closely at the hosting IPs popularity.
  2. Hunting: Having identified a hosting IP, we pivot through the hostnames identifying new hosting IPs and registrants.
  3. Analyzing: Statistical properties in the distribution of subdomains.
  4. Malware Analysis: Analyzing related hashes and samples.

HOSTING IP POPULARITY

We were first notified of the hosting IP 95.31.22[.]193 having unusual volume of popularity within the last couple days. Below is an example of what we were seeing.

FIGURE: 95.31.22[.]193 popularity over the last three weeks.

In this plot, along with a more raw popularity, you see a 12-hour moving average to better capture the underlying trend. Notice, what piqued our interest is the larger than normal amount of popularity to this hosting IP in the last few days.

HAILSTORM DOMAINS AND HOSTNAMES

This hosting IP 95.31.22[.]193 was hosting confirmed hailstorm domains. For example:

vmiller.winnifredrobenia[.]win
barrie.winnifredrobenia[.]win
cdavila.winnifredrobenia[.]win
jeffunderwood.winnifredrobenia[.]win
jjefferson.winnifredrobenia[.]win
kenneth.winnifredrobenia[.]win
leonardperez.winnifredrobenia[.]win
Note: Additional domains at the bottom of the blog.

Now, these subdomains appear to be random words rather than random characters.
On this hosting IP alone you’ll find 11,769 hostnames made of 1,719 domains (2LD+TLD).  Below is the distribution of the number of subdomains per domain on this hosting IP.
 
              
 

FIGURE: Two histograms of the distribution of the number of subdomains to domains. LEFT: graph of all domains. RIGHT: graph of only domains with 5 or more subdomains (185 total domains).

 

THE NEW STORM

Once we found the hosting IP of these hailstorm domains, it was only the beginning.
This domain winnifredrobenia[.]win, which we observed hosted on the IP 95.31.22[.]193 was seen sent out in email messages we observed from analyzing this trojan in a sandbox environment;

SHA256: e3126968891a813103e4b9a59d31551e73535d5e4cf791da3e661413dca77e12

Spam email with a link to winnifredrobenia[.]win
FIGURE: Spam email with a link to winnifredrobenia[.]win
 
This trojan will enlist the infected host into the malicious actor’s spam botnet. This technique of sending spam from numerous network locations of infected hosts makes it difficult to stop entirely, since there is no central location of origin.
The file was dropped from pubsearch[.]ru which we have seen hosted on the IP 134.119.218[.]182.
This is yet another part of the Hailstorm infrastructure. This hosting IP is using the same tactic of registering many new subdomains on a daily basis.

example of Investigate view of LD2 and LD3 domains on hosting IP
FIGURE: Example of Investigate view of 2LD and 3LD domains on hosting IP

Cisco Umbrella continues to track these Hailstorm campaigns and their infrastructure through IP addresses, domains and email registrants.

IOCS

The below email registrants have registered domains associated with this wave of Hailstorm:

bossraz@ya[.]ru

veremeikom@gmail[.]com

andrejn797@gmail[.]com

fsn.vladimir@gmail[.]com

nbelikov11@gmail[.]com

radanatoliy@gmail[.]com

bossraz@yandex[.]net

alexstoiev123@gmail[.]com

darat@xrbox[.]com

A sample of IPs:

134.119.218[.]182

146.255.193[.]186

93.186.192[.]94

85.25.210[.]136

213.159.212[.]211

193.124.179[.]165

134.119.218[.]179

93.186.196[.]16

176.123.2[.]249

5.9.55[.]110

5.178.83[.]50

176.31.106[.]23

185.31.161[.]198

176.31.106[.]23

95.31.22[.]193

Hashes communicating with Hailstorm domains and IPs:
 

d938bd8ced1534ad6939d9e168e16f62dace7194829f1ef6f326ae911ee8e9a2

e68ca920c85b7f187273c85cdd943c46aaaed057f3bf82fdcd39edb83694740b

90c31a89a9a2c402c33e2199b906768b583d0ad11a1072ad5f2e2058e992a668

e3126968891a813103e4b9a59d31551e73535d5e4cf791da3e661413dca77e12

68fd651a697119b49942381382a7646931b1eea1e0b895ebaedb0b1d5eb0fcc2

 
A sample of domains:

www684.alanwinnifredrobenia[.]win
www878.andrea.winnifredrobenia[.]win
www521.arb.winnifredrobenia[.]win
www563.bdeese.winnifredrobenia[.]win
www585.bengel.winnifredrobenia[.]win
www.casey.winnifredrobenia[.]win
www274.charlesprice.winnifredrobenia[.]win
www283.cristobr.winnifredrobenia[.]win
www190.dmoultonwinnifredrobenia[.]win
www874.dmoultonwinnifredrobenia[.]win
www195.ealesmultotec.winnifredrobenia[.]win
www751.hcortez.winnifredrobenia[.]win
www868.ianclapp.winnifredrobenia[.]win
www729.jatkins.winnifredrobenia[.]win
www903.jonhunt.winnifredrobenia[.]win
www459.jstevens.winnifredrobenia[.]win
www821.jzhang.winnifredrobenia[.]win
www476.lj.winnifredrobenia[.]win
www456.lj.winnifredrobenia[.]win
www457.lj.winnifredrobenia[.]win
www504.lnunes.winnifredrobenia[.]win
www717.mike.winnifredrobenia[.]win
www935.mpennwinnifredrobenia[.]win
www996.nguyenconglap.winnifredrobenia[.]win
www118.nic.winnifredrobenia[.]win
www746.nic.winnifredrobenia[.]win
www934.nic.winnifredrobenia[.]win
www911.nick.winnifredrobenia[.]win
www300.obienichols.winnifredrobenia[.]win
www587.paul.winnifredrobenia[.]win
www828.peter.winnifredrobenia[.]win
www771.pistininzi.winnifredrobenia[.]win
www331.psimoslaw.winnifredrobenia[.]win
www920.richardbishop.winnifredrobenia[.]win
www214.roel.winnifredrobenia[.]win
www310.rsbr.winnifredrobenia[.]win
www336.vinnycarey.winnifredrobenia[.]win
www734.vinnycarey.winnifredrobenia[.]win
winnifredrobenia[.]win
bill.winnifredrobenia[.]win
dillingham.winnifredrobenia[.]win
dkey.winnifredrobenia[.]win
garywright.winnifredrobenia[.]win
jakedaigle.winnifredrobenia[.]win
josephhenthornwinnifredrobenia[.]win
liz.winnifredrobenia[.]win
makethecall.winnifredrobenia[.]win
mlkgoldens.winnifredrobenia[.]win
molloym.winnifredrobenia[.]win
nic.winnifredrobenia[.]win
ns1.winnifredrobenia[.]win
ns2.winnifredrobenia[.]win
pastorjeff.winnifredrobenia[.]win
patrick.winnifredrobenia[.]win
toolmanwinnifredrobenia[.]win
vmiller.winnifredrobenia[.]win
barrie.winnifredrobenia[.]win
cdavila.winnifredrobenia[.]win
jeffunderwood.winnifredrobenia[.]win
jjeffersonwinnifredrobenia[.]win
kenneth.winnifredrobenia[.]win
leonardperez.winnifredrobenia[.]win
matthelling.winnifredrobenia[.]win
mreed.winnifredrobenia[.]win
mshamimarainwinnifredrobenia[.]win
pdagrandrapids.winnifredrobenia[.]win
tbradford.winnifredrobenia[.]win
tembos.winnifredrobenia[.]win
www.winnifredrobenia[.]win
yukyw.winnifredrobenia[.]win
zbig.winnifredrobenia[.]win

Suggested Blogs

  • Cisco Umbrella Delivered Better Cybersecurity and 231% ROI February 21, 2023 2 minute read
  • Cisco Listed as a Representative Vendor in Gartner® Market Guide for Single-Vendor SASE January 26, 2023 3 minute read
  • How to Evaluate SSE Vendors: Questions to Ask, Pitfalls to Avoid June 23, 2022 5 minute read

Share this blog

FacebookTweetLinkedIn

Follow Us

  • Twitter
  • Facebook
  • LinkedIn
  • YouTube

Footer Sections

What we make

  • Cloud Security Service
  • DNS-Layer Network Security
  • Secure Web Gateway
  • Security Packages

Who we are

  • Global Cloud Architecture
  • Cloud Network Status
  • Cloud Network Activity
  • OpenDNS is now Umbrella
  • Cisco Umbrella Blog

Learn more

  • Webinars
  • Careers
  • Support
  • Cisco Umbrella Live Demo
  • Contact Sales
Umbrella by Cisco
208.67.222.222+208.67.220.220
2620:119:35::35+2620:119:53::53
Sign up for a Free Trial
  • Cisco Online Privacy Statement
  • Terms of Service
  • Sitemap

© 2023 Cisco Umbrella