In this blog, we’ll discuss new tactics used in Hailstorm campaigns. These new tactics include infecting systems with a trojan for sending out spam, and leveraging a single system for hosting a large number of sites in which spam recipients are directed towards. Investigating one such system, we uncovered 11,769 hostnames with 1,719 domains (2LD+TLD), each of which may serve spam content.
In this analysis of the campaign we’ll combine a mixture of methods from DNS traffic analysis, malware hunting, and sandbox analysis to expand our coverage.
Below you’ll find sections including:
- Traffic Analysis: Looking more closely at the hosting IPs popularity.
- Hunting: Having identified a hosting IP, we pivot through the hostnames identifying new hosting IPs and registrants.
- Analyzing: Statistical properties in the distribution of subdomains.
- Malware Analysis: Analyzing related hashes and samples.
HOSTING IP POPULARITY
We were first notified of the hosting IP 95.31.22[.]193 having unusual volume of popularity within the last couple days. Below is an example of what we were seeing.
![Lines chart - 95.31.22[.]193 popularity over the last three weeks](https://cdn.umbrella.marketops.umbrella.com/wp-content/uploads/2017/03/25164333/pic3-1024x273.png)
FIGURE: 95.31.22[.]193 popularity over the last three weeks.
In this plot, along with a more raw popularity, you see a 12-hour moving average to better capture the underlying trend. Notice, what piqued our interest is the larger than normal amount of popularity to this hosting IP in the last few days.
HAILSTORM DOMAINS AND HOSTNAMES
This hosting IP 95.31.22[.]193 was hosting confirmed hailstorm domains. For example:
vmiller.winnifredrobenia[.]win
barrie.winnifredrobenia[.]win
cdavila.winnifredrobenia[.]win
jeffunderwood.winnifredrobenia[.]win
jjefferson.winnifredrobenia[.]win
kenneth.winnifredrobenia[.]win
leonardperez.winnifredrobenia[.]win
Note: Additional domains at the bottom of the blog.
Now, these subdomains appear to be random words rather than random characters.
On this hosting IP alone you’ll find 11,769 hostnames made of 1,719 domains (2LD+TLD). Below is the distribution of the number of subdomains per domain on this hosting IP.
FIGURE: Two histograms of the distribution of the number of subdomains to domains. LEFT: graph of all domains. RIGHT: graph of only domains with 5 or more subdomains (185 total domains).
THE NEW STORM
Once we found the hosting IP of these hailstorm domains, it was only the beginning.
This domain winnifredrobenia[.]win, which we observed hosted on the IP 95.31.22[.]193 was seen sent out in email messages we observed from analyzing this trojan in a sandbox environment;
SHA256: e3126968891a813103e4b9a59d31551e73535d5e4cf791da3e661413dca77e12
![Spam email with a link to winnifredrobenia[.]win](https://s3-us-west-1.amazonaws.com/umbrella-blog-uploads/wp-content/uploads/2017/03/07161637/email-1024x460.png)
This trojan will enlist the infected host into the malicious actor’s spam botnet. This technique of sending spam from numerous network locations of infected hosts makes it difficult to stop entirely, since there is no central location of origin.
The file was dropped from pubsearch[.]ru which we have seen hosted on the IP 134.119.218[.]182.
This is yet another part of the Hailstorm infrastructure. This hosting IP is using the same tactic of registering many new subdomains on a daily basis.
Cisco Umbrella continues to track these Hailstorm campaigns and their infrastructure through IP addresses, domains and email registrants.
IOCS
The below email registrants have registered domains associated with this wave of Hailstorm:
bossraz@ya[.]ru
veremeikom@gmail[.]com
andrejn797@gmail[.]com
fsn.vladimir@gmail[.]com
nbelikov11@gmail[.]com
radanatoliy@gmail[.]com
bossraz@yandex[.]net
alexstoiev123@gmail[.]com
darat@xrbox[.]com
A sample of IPs:
134.119.218[.]182
146.255.193[.]186
93.186.192[.]94
85.25.210[.]136
213.159.212[.]211
193.124.179[.]165
134.119.218[.]179
93.186.196[.]16
176.123.2[.]249
5.9.55[.]110
5.178.83[.]50
176.31.106[.]23
185.31.161[.]198
176.31.106[.]23
95.31.22[.]193
Hashes communicating with Hailstorm domains and IPs:
d938bd8ced1534ad6939d9e168e16f62dace7194829f1ef6f326ae911ee8e9a2
e68ca920c85b7f187273c85cdd943c46aaaed057f3bf82fdcd39edb83694740b
90c31a89a9a2c402c33e2199b906768b583d0ad11a1072ad5f2e2058e992a668
e3126968891a813103e4b9a59d31551e73535d5e4cf791da3e661413dca77e12
68fd651a697119b49942381382a7646931b1eea1e0b895ebaedb0b1d5eb0fcc2
A sample of domains:
www684.alanwinnifredrobenia[.]win
www878.andrea.winnifredrobenia[.]win
www521.arb.winnifredrobenia[.]win
www563.bdeese.winnifredrobenia[.]win
www585.bengel.winnifredrobenia[.]win
www.casey.winnifredrobenia[.]win
www274.charlesprice.winnifredrobenia[.]win
www283.cristobr.winnifredrobenia[.]win
www190.dmoultonwinnifredrobenia[.]win
www874.dmoultonwinnifredrobenia[.]win
www195.ealesmultotec.winnifredrobenia[.]win
www751.hcortez.winnifredrobenia[.]win
www868.ianclapp.winnifredrobenia[.]win
www729.jatkins.winnifredrobenia[.]win
www903.jonhunt.winnifredrobenia[.]win
www459.jstevens.winnifredrobenia[.]win
www821.jzhang.winnifredrobenia[.]win
www476.lj.winnifredrobenia[.]win
www456.lj.winnifredrobenia[.]win
www457.lj.winnifredrobenia[.]win
www504.lnunes.winnifredrobenia[.]win
www717.mike.winnifredrobenia[.]win
www935.mpennwinnifredrobenia[.]win
www996.nguyenconglap.winnifredrobenia[.]win
www118.nic.winnifredrobenia[.]win
www746.nic.winnifredrobenia[.]win
www934.nic.winnifredrobenia[.]win
www911.nick.winnifredrobenia[.]win
www300.obienichols.winnifredrobenia[.]win
www587.paul.winnifredrobenia[.]win
www828.peter.winnifredrobenia[.]win
www771.pistininzi.winnifredrobenia[.]win
www331.psimoslaw.winnifredrobenia[.]win
www920.richardbishop.winnifredrobenia[.]win
www214.roel.winnifredrobenia[.]win
www310.rsbr.winnifredrobenia[.]win
www336.vinnycarey.winnifredrobenia[.]win
www734.vinnycarey.winnifredrobenia[.]win
winnifredrobenia[.]win
bill.winnifredrobenia[.]win
dillingham.winnifredrobenia[.]win
dkey.winnifredrobenia[.]win
garywright.winnifredrobenia[.]win
jakedaigle.winnifredrobenia[.]win
josephhenthornwinnifredrobenia[.]win
liz.winnifredrobenia[.]win
makethecall.winnifredrobenia[.]win
mlkgoldens.winnifredrobenia[.]win
molloym.winnifredrobenia[.]win
nic.winnifredrobenia[.]win
ns1.winnifredrobenia[.]win
ns2.winnifredrobenia[.]win
pastorjeff.winnifredrobenia[.]win
patrick.winnifredrobenia[.]win
toolmanwinnifredrobenia[.]win
vmiller.winnifredrobenia[.]win
barrie.winnifredrobenia[.]win
cdavila.winnifredrobenia[.]win
jeffunderwood.winnifredrobenia[.]win
jjeffersonwinnifredrobenia[.]win
kenneth.winnifredrobenia[.]win
leonardperez.winnifredrobenia[.]win
matthelling.winnifredrobenia[.]win
mreed.winnifredrobenia[.]win
mshamimarainwinnifredrobenia[.]win
pdagrandrapids.winnifredrobenia[.]win
tbradford.winnifredrobenia[.]win
tembos.winnifredrobenia[.]win
www.winnifredrobenia[.]win
yukyw.winnifredrobenia[.]win
zbig.winnifredrobenia[.]win
