Cisco Umbrella

Enterprise network security

Security

From Dedicated to Compromised Domains: The Shift in Adversaries' MO to Deliver Exploit Kit Attacks

By Dhia Mahjoub

Earlier this year, we covered results of a 5-month study (November 2013 to February 2014) on tracking Nuclear Exploit kit domains from a hosting IP infrastructure perspective [1]. We discussed the evasive methods of the bad actors, their abuse of hosting providers, and we elaborated on methods to predictively identify and block IP infrastructures set up by adversaries to deliver Exploit kit attacks. Since then, several elements have changed in the MO of bad actors.
In this blog, we discuss some results of a subsequent new 5-month study we conducted between February and June 2014. Earlier brief results were discussed at BSides Raleigh 2013 [2] (slides 27,28), and then we shared some preliminary results of the new study at the ISOI13 conference in March [3]. This work is still ongoing and we will cover more details at BlackHat [4] and VirusBulletin [5].
For this study, we designed a system to preemptively and effectively detect malicious subdomains injected under compromised domains (particularly GoDaddy domains) and track their IP infrastructure. The phenomena of compromised GoDaddy domains serving malware has been around for at least 2 years [6]. The compromise can happen through at least two methods: hacking GoDaddy accounts or injecting malicious redirection scripts into vulnerable GoDaddy websites. When the compromise is successful, subdomains (third level domains) are injected under the GoDaddy domains (second level domains), and these subdomains would resolve to malicious sites.

Most Abused ASNs

We have been monitoring this threat for the past 5 months (February to June 2014) and observed that the subdomains resolve to IPs serving Exploit kit attacks (typically Nuclear [7][8] and Angler [9][10]) and also browser-based ransomware. We recorded several hundred IPs hosting these malicious subdomains over the period of the study.
The top 5 abused ASNs are:

  • 16276 OVH SAS
  • 24961 myLoc managed IT AG
  • 15003 Nobis Technology Group, LLC
  • 41853 LLC NTCOM
  • 20473 Choopa, LLC

AS16276, which is OVH, hosted 18% of the total malicious IPs. In this specific case, as the abuse of OVH has been exposed since last year and up until February 2014 (particularly for hosting Nuclear Exploit domains [11]), bad actors have changed their MO: they switched temporarily to other hosting providers, and started using recycled IPs (not reserved exclusively for Exploit domains). Additionally, OVH took action by suspending rogue accounts.
However, by monitoring the compromised domains’ campaigns, we observed that OVH was still being abused by bad actors to host malicious content. These were the general changes in bad actors’ MO that we observed:

  • From a domain perspective, for a while, bad actors had been abusing various ccTLDs (e.g. .pw, .in.net, .ru, etc.) facilitated by rogue or victim registrars and resellers. Then, they supplemented that approach with using compromised domains, particularly GoDaddy domains under which they inject subdomains to host Exploit kit landing urls and browlock (Notice that using compromised domains for attacks goes further back in the past for other different campaigns).
  • From an IP perspective, bad actors used to bring the attack hosting IPs online in contiguous chunks, then they started bringing them up in randomized sets or one IP at a time.
  • The other notable fact is that bad actors used to abuse OVH Canada (attached to ARIN) where rogue customers were reserving re-assigned small ranges (/27, /28, /29, etc.). By consulting the ARIN Rwhois database, it was possible to correlate the rogue customers with the IP ranges they reserve and therefore predict and block the IP infrastructures they set up for Exploit kit attacks. As the adversaries changed MO, this method became less effective in tracking them.
  • The shift became clear when they started to more frequently use ranges on OVH’s European IP space (which is attached to RIPE) as well as other European providers. Typically, we saw small gaming hosting providers being abused among other platforms.

Additionally, although the standard geolocation of OVH European IP space maps to France (FR), the attack IP ranges were reserved from OVH’s server pools in various European countries (France, Belgium, Italy, UK, Ireland, Spain, Portugal, Germany, Netherlands, Finland, Czech Republic, and Russia).
This clearly shows that the adversaries are diversifying their hosting assets which provides them redundancy and evasive capabilities. Notice also that RIPE has stricter data protection laws so it would be more difficult to obtain information about customers, and that could explain the shift in hosting infrastructures by the bad actors.
More generally, we list a few of the small scale hosting providers involved in hosting the attack subdomains. These hosting providers could either be abused, complicit with the bad actors or simply lax about the maliciousness of the content they host. Notice the rogue providers among these will often switch prefixes by dropping dirty ones and reserving new ones from the backbone providers they are attached to.

  • http://king-servers.com/en/ This hoster has been observed to host Exploit kit domains (Angler, Styx), porn, dating sites, pharma sites [12]. It was also described by a comment on Web Of Trust as “Offers bulletproof hosting for Russian-Ukrainian criminals (malware distributors etc)” [13].

king_servers

  • http://evrohoster.ru/en/ hosted browlock through redirections from porn sites [14].

evrohoster

  • http://www.xlhost.com/ hosted Angler EK domains
  • https://www.ubiquityhosting.com/ hosted browlock.
  • http://www.qhoster.bg/ hosted Nuclear EK domains.
  • http://www.codero.com/
  • http://www.electrickitten.com/web-hosting/

String Analysis of Domain Names

During this study, we recorded 19,000+ malicious subdomains injected under 4200+ compromised GoDaddy 2LDs. By analyzing the strings used for the subdomains, we recorded 12,000+ different labels. We show the list of top 5 labels used: police, alertpolice, css, windowsmoviemaker, solidfileslzsr. police and alertpolice were the most used labels for hostnames serving browlock and the remaining labels were used for hostnames serving mainly Exploit kit attacks.
In the chart below, we show the frequency of number of occurrences for all used labels.
labels_occur

One single label occurred 746 times (police), 1 label occured 22 times (alertpolice), 1 label occurred 10 times (css), 15 labels occurred 6 times (windowsmoviemaker, solidfileslzsr are among them), and 11,727 distinct labels occurred a single time.
Stay tuned for more results at BlackHat [15] and VirusBulletin [16].