Investigating Name Servers- evolving domains from suspicious to malicious
Very few security products and services give enough consideration to the reputation and quality of the Name Server associated with domains they are looking at. We pick here a High Value Suspicious Domain and check what else is on the same name server to examine what is discovered through the process.
Our seeding domain will be service-update[.]link
Looking at the Name Server info from our API
nsdomaininfo": [
{
"domain": "service-update[.]link",
"ns_avg_ttl": 4149,
"ns_domain": "dendrite.network",
"num_domains": 203,
This is a low density Nameserver where we have only seen 203 domains on it. It has a very low average TTL across all the domains on there which may suggest a lot of changes compared to other nameservers.
A quick lookup using our explore API gives us a number of suspicious domains with matching characteristics. These appear to be in two groups.
Group 1.
Commonalities- Tech related theme. Nameserver domain- dendrite.network. Have an A record-AS holder ColoCrossing- Registrar Namesilo- "address": "Tavernier St., Wall House",
"city": "Loubiere",
"country": "DM",
|
Domain |
A record |
PTR |
Potential Target |
Registrar |
|
update-support[.]network |
198.12.73[.]24 |
198-12-73-24-host.colocrossing.com"
|
|
|
|
service-update[.]link |
104.168.44[.]133 |
Null AS ColoCrossing |
Aadhar? |
Namesilo |
|
update-billing[.]mobi |
23.95.44[.]44 |
23-95-44-44-host.colocrossing.com |
Ee telecom-reported phish in April 2020 |
Namesilo |
|
hs-securealerts[.]com
|
172.245.52[.]41 |
ip_ptr": "172-245-52-41-host.colocrossing.com |
HSBC? |
Namesilo |
|
ref0948a[.]com
|
72.52.179[.]174 Changed yesterday from 23.95.102[.]201
|
"asname": "LIQUIDWEB, US", Yesterday AS ColoCrossing |
|
Namesilo |
|
uk-taxupdate[.]com |
198.46.249[.]202 |
"asname": "AS-COLOCROSSING, US", No ptr |
Has a ssl cert On safebrowsing blacklist |
namesilo |
|
aem-new[.]com |
192.227.147[.]116 SSL Cert available |
"asname": "AS-COLOCROSSING, US", No ptr "siblings": [ "3support.aem-new.com", "aem-new.com", "my3.aem-new.com", "mythree.aem-new.com" "domain": "aem-new.com", "first_seen": 20200720,
|
3? Telecom provider Linked to Malware by Sophos |
Namesilo |
|
aempath[.]com |
192.227.223[.]153 SSL Cert Available |
"my3.billing.aempath[.]com", "my3.support.aempath[.]com", "my3support.aempath[.]com", "mybilling.aempath[.]com" "ip_ptr": "192-227-223-153-host.colocrossing.com",
|
3? Telecom "source_date": "Tue, 16 Jun 2020 07:33:59 GMT", "source_link": "http://www.phishtank.com/phish_detail.php?phish_id=6632290", "status": "online", "tags": "Three",
|
Namesilo |
|
com-gb[.]mobi |
192.210.229[.]51 |
"asname": "AS-COLOCROSSING, US",
|
Mobile Telecoms UK? |
Namesilo |
It appears that Group 1 have either been used maliciously already or are waiting to be used maliciously. Monitoring the “waiting” group for changes is key as this may lead to being able to block their activity once the domain moves into an actively malicious mode. There are a number of ways to do this such as monitoring for new changes in DNS or associated records. Moving of infrastructure can often mark an activation of a malicious domain. A good example of this is when the domain avsvmcloud[.]com was activated for the Solarwinds breach, it switched to its own nameservers for the active part of the campaign.
In the next section I will go through the other groups of domains on the Nameserver.
Group 2.
This group seems to lead to more and more indicators so I’ll post them over time.
Commonalities- Tech related theme. Nameserver domain- dendrite.network. Domains have been aged. Have an A record-AS holder Nice IT Services Group Inc.
- Registrar Namesilo- "address": "Tavernier St., Wall House",
"city": "Loubiere""country": "DM
|
Domain |
A Record |
PTR |
Potential Target |
Registrar |
|
Paypalservice[.]support "whois_age": 208, "whois_created_date": "2020-06-02 23:08:50",
|
45.9.148[.]108 "asname": "NICEIT, DM", "asn_takedown_reputation_score": 78, Very bad reputation |
"ip_ptr": "mx1.dendrite.network",
|
Paypal
|
Namesilo |
|
small-url[.]cc created": "2020-10-13 21:11:16
|
45.9.148[.]22 "asn_takedown_reputation_score": 78, "asname": "NICEIT, DM", Ssl cert c81a8bd1f9cf6d84c525f378ca1d3f8c30770e34 Reused 33884 times e141bcb13dc92fa31a1e0b35e408f0167620b214 Cn fissken[.]com(also on this nameserver)-looks to be linked to a phishing campaign- linked to fake adobe landing pages. Adobe.documentcloud[.]app
Adobe.documentcloud[.]online Banner for brandurl[.]cloud
|
No PTR |
Assumption that this is for a phishing link in an email. Other potential uses also. Associated domain spoofing documentcloud.adobe.com |
Namesilo |
|
"age": 124, "whois_created_date": "2020-08-25 08:32:48",
|
45.9.148[.]115 "asname": "NICEIT, DM", ssl_certs" "fingerprint_sha1": "16eb7355d966bb2c71f4e674ef542f8bb6283471",Reuse count 1 e6a3b45b062d509b3382282d196efe97d5956ccb reuse count5556942 ar-link[.]top
|
"ip_ptr": "",
|
Fortinet Malware
|
Namesilo |
|
Ulsterbankonlineltd[.]com "whois_age": 25, "whois_created_date": "2020-12-03 21:58:58"
|
45.9.148[.]108 "asname": "NICEIT, DM", "fingerprint_sha1": "26b57a753c9081adcda72548da8a123a8e06aaab", CN=00000-defaultsite.tld,
|
"ip_ptr": "mx1.dendrite.network",
|
Targeted at Ulster bank, part of RBS group |
Namesilo |
|
Choicebank[.]online "whois_age": 125, "whois_created_date": "2020-08-25 09:45:09", |
No A record today |
|
Choice Bank or First Choice |
Namesilo |
|
Documentcloud[.]pw "created": "2020-10-14 15:27:34",
|
45.9.148[.]22 "documentcloud[.]pw", "small-url[.]cc" c81a8bd1f9cf6d84c525f378ca1d3f8c30770e34 “e141bcb13dc92fa31a1e0b35e408f0167620b214” also used for fisskens[.]com “2b8adb751fe01a2c04e95c726610b06e212da9c3” for cn brand[.]url
|
No PTR "asname": "NICEIT, DM",
|
Adobe or sharepoint |
Namesilo |
|
rbscotland-online[.]com
|
45.9.148[.]108 "fingerprint_sha1": "4d160b999632d3c16a9177bb7f68526c82e6f146", "domains": [ "rbscotland-online[.]com", www.rbscotland-online[.]com
Recent resolution 31.220.2[.]142 "subnet_reputation_score": 38 ip_ptr": "rbsuk-online[.]com",
|
"ip_ptr": "mx1.dendrite.network",
|
Royal Bank Of Scotland part of RBS Group Fortinet
|
Namesilo |
|
Btctools[.]net
|
45.9.148[.]108 "asn_takedown_reputation_score": 81, "asname": "NICEIT, DM", Ssl cert 26b57a753c9081adcda72548da8a123a8e06aaab Cn 00000-defaultsite[.]tld,
|
"ip_ptr": "mx1.dendrite.network",
|
Bit coin mining |
Namesilo |
|
gb-kpmg[.]com "whois_age": 73, "whois_created_date": "2020-10-17 07:47:12",
|
No live a record
|
|
KPMG Listed by spamhaus |
namesilo |
|
secure-id[.]cloud "whois_age": 153, "whois_created_date": "2020-07-30 06:46:37",
|
45.9.148[.]22 "asn_takedown_reputation_score": 81, "asname": "NICEIT, DM", "ns_entropy": 4, "cousins": [ "*.docsx[.]cloud", "*.secure-id[.]cloud", "autodiscover.secure-id[.]cloud", "cpanel.secure-id[.]cloud", "secure-id[.]cloud", "server.secure-id[.]cloud", "sub.secure-id[.]cloud" Ssl certs c81a8bd1f9cf6d84c525f378ca1d3f8c30770e34 C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority Reused-33488
e141bcb13dc92fa31a1e0b35e408f0167620b214 Names Fisskens[.]com reuse count 1 IP 2b8adb751fe01a2c04e95c726610b06e212da9c3 Names server.brandurl[.]cloud Reuse count 1 IP 2b8adb751fe01a2c04e95c726610b06e212da9c3 Names server.brandurl[.]cloud Reuse count 1 IP
|
No PTR "asname": "NICEIT, DM",
|
Secure ID |
namesilo |
|
service-ca-verification[.]com "age": 255,
|
45.9.148[.]162 "asn_takedown_reputation_score": 83, "asname": "NICEIT, DM",
Ssl certs fae1b4e4b55d6907ec4fdbaa0acdd9eb98e28163
2b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e Trusted Root certificate "ssl_cert_reuse_count": 305082
1315cc4ba49a2913b02ed7fb9f5a9937edfd472e Names *.quickex[.]io "ssl_cert_reuse_count": 1
33e4e80807204c2b6182a3a14b591acd25b5f0db ssl_cert_reuse_count": 1800764 O=The USERTRUST Network, CN=USERTrust RSA Certification Authority
|
No PTR
|
Spamhaus Phishing
Ssl cert for quickex[.]io on the same IP has had a virus detection related to it in the past |
namesilo |
|
Fisskens[.]com |
Added due to cert mentioned above |
|
Detected for Phishing by Spamhaus |
|
|
Teamtnt[.]red "age": 324,
|
45.9.148[.]108 "asn_takedown_reputation_score": 81, "asname": "NICEIT, DM", Ssl cert 26b57a753c9081adcda72548da8a123a8e06aaab Cn 00000-defaultsite[.]tld,
|
"ip_ptr": "mx1.dendrite.network",
|
https://www.securityweek.com/crypto-mining-worm-targets-aws-credentials
"source_date": "Sat, 02 May 2020 20:07:10 GMT", "source_link": "https://urlhaus.abuse.ch/url/356414/", "status": "online", "tags": "elf,tsunami", "url": "http://teamtnt[.]red/load/dns3", "verdict": "malware_download"
"source_link": "https://urlhaus.abuse.ch/url/356415/", "status": "online", "tags": "elf,tsunami", "url": "http://teamtnt[.]red/load/dns3_32bit", "verdict": "malware_download"
|
namesilo
|
So just touching on these two groups based on similarities, these of course could be one group, this Nameserver is very heavily used by malicious actors and definitely one threat actor group called Team TNT.
How can I use this information?
All the information above was collected by our API and can be leveraged for threat hunting or detections. The information is pre-collected and cached so new lookups don’t have to be done each time you have a new indicator to check. We’ve already collected all this information and run some analysis on it to give things like reputation scores for the nameserver, the AS number reputation, the subnet reputation etc.
A security team can use Yara rules over this information to try and find “High Value Malicious Domains “ in their logs or associated IP addresses.