Investigating Suspicious NameServers

Investigating Name Servers- evolving domains from suspicious to malicious

 

Very few security products and services give enough consideration to the reputation and quality of the Name Server associated with domains they are looking at. We pick here a High Value Suspicious Domain and check what else is on the same name server to examine what is discovered through the process.

 

Our seeding domain will be service-update[.]link  

Looking at the Name Server info from our API

 

nsdomaininfo": [

    {

      "domain": "service-update[.]link",

      "ns_avg_ttl": 4149,

      "ns_domain": "dendrite.network",

      "num_domains": 203,

This is a low density Nameserver where we have only seen 203 domains on it. It has a very low average TTL across all the domains on there which may suggest a lot of changes compared to other nameservers.

 

A quick lookup using our explore API gives us a number of suspicious domains with matching characteristics. These appear to be in two groups.

 

Group 1.

 

Commonalities- Tech related theme. Nameserver domain- dendrite.network. Have an A record-AS holder ColoCrossing- Registrar Namesilo- "address": "Tavernier St., Wall House",

      "city": "Loubiere",

      "country": "DM",

 

Domain

A record

PTR

Potential Target

Registrar

update-support[.]network 

198.12.73[.]24

198-12-73-24-host.colocrossing.com"

 

 

 

service-update[.]link

104.168.44[.]133

Null

AS ColoCrossing

Aadhar?

Namesilo

update-billing[.]mobi

23.95.44[.]44

23-95-44-44-host.colocrossing.com

Ee telecom-reported phish in April 2020

Namesilo

hs-securealerts[.]com 

 

172.245.52[.]41

ip_ptr": "172-245-52-41-host.colocrossing.com

HSBC?

Namesilo

ref0948a[.]com 

 

72.52.179[.]174

Changed yesterday from 23.95.102[.]201

 

"asname": "LIQUIDWEB, US",

Yesterday AS ColoCrossing

 

Namesilo

uk-taxupdate[.]com 

198.46.249[.]202

"asname": "AS-COLOCROSSING, US",

No ptr

Has a ssl cert

On safebrowsing blacklist

namesilo

aem-new[.]com 

192.227.147[.]116

SSL Cert available

"asname": "AS-COLOCROSSING, US",

No ptr

"siblings": [

      "3support.aem-new.com",

      "aem-new.com",

      "my3.aem-new.com",

      "mythree.aem-new.com"

"domain": "aem-new.com",

    "first_seen": 20200720,

 

3? Telecom provider

Linked to Malware by Sophos

Namesilo

aempath[.]com

     192.227.223[.]153

SSL Cert Available

  "my3.billing.aempath[.]com",

      "my3.support.aempath[.]com",

      "my3support.aempath[.]com",

      "mybilling.aempath[.]com"

"ip_ptr": "192-227-223-153-host.colocrossing.com",

 

3? Telecom

"source_date": "Tue, 16 Jun 2020 07:33:59 GMT",

        "source_link": "http://www.phishtank.com/phish_detail.php?phish_id=6632290",

        "status": "online",

        "tags": "Three",

 

Namesilo

com-gb[.]mobi 

     192.210.229[.]51

"asname": "AS-COLOCROSSING, US",

 

Mobile Telecoms UK?

Namesilo

It appears that Group 1 have either been used maliciously already or are waiting to be used maliciously. Monitoring the “waiting” group for changes is key as this may lead to being able to block their activity once the domain moves into an actively malicious mode. There are a number of ways to do this such as monitoring for new changes in DNS or associated records. Moving of infrastructure can often mark an activation of a malicious domain. A good example of this is when the domain avsvmcloud[.]com was activated for the Solarwinds breach, it switched to its own nameservers for the active part of the campaign.

In the next section I will go through the other groups of domains on the Nameserver.

Group 2.

This group seems to lead to more and more indicators so I’ll post them over time.

Commonalities- Tech related theme. Nameserver domain- dendrite.network. Domains have been aged. Have an A record-AS holder Nice IT Services Group Inc.

- Registrar Namesilo- "address": "Tavernier St., Wall House",

      "city": "Loubiere""country": "DM

Domain

A Record

PTR

Potential Target

Registrar

Paypalservice[.]support 

"whois_age": 208,

    "whois_created_date": "2020-06-02 23:08:50",

 

 

45.9.148[.]108

"asname": "NICEIT, DM",

"asn_takedown_reputation_score": 78,

Very bad reputation

"ip_ptr": "mx1.dendrite.network",

 

Paypal

Namesilo

small-url[.]cc

created": "2020-10-13 21:11:16

 

45.9.148[.]22

"asn_takedown_reputation_score": 78,

      "asname": "NICEIT, DM",

Ssl cert c81a8bd1f9cf6d84c525f378ca1d3f8c30770e34

Reused 33884 times

e141bcb13dc92fa31a1e0b35e408f0167620b214

Cn fissken[.]com(also on this nameserver)-looks to be linked to a phishing campaign- linked to fake adobe landing pages.

Adobe.documentcloud[.]app

Adobe.documentcloud[.]online

Banner for brandurl[.]cloud

 

No PTR

Assumption that this is for a phishing link in an email. Other potential uses also.

Associated domain spoofing documentcloud.adobe.com

Namesilo

election[.]finance

"age": 124,

"whois_created_date": "2020-08-25 08:32:48",

 

45.9.148[.]115

"asname": "NICEIT, DM",

ssl_certs"

"fingerprint_sha1": "16eb7355d966bb2c71f4e674ef542f8bb6283471",Reuse count 1

e6a3b45b062d509b3382282d196efe97d5956ccb reuse count5556942

ar-link[.]top

 

 

 

"ip_ptr": "",

 

Fortinet

Malware

 

Namesilo

Ulsterbankonlineltd[.]com 

"whois_age": 25,

    "whois_created_date": "2020-12-03 21:58:58"

 

 

45.9.148[.]108

"asname": "NICEIT, DM",

"fingerprint_sha1": "26b57a753c9081adcda72548da8a123a8e06aaab",

CN=00000-defaultsite.tld,

 

"ip_ptr": "mx1.dendrite.network",

 

Targeted at Ulster bank, part of RBS group

Namesilo

Choicebank[.]online

"whois_age": 125,

    "whois_created_date": "2020-08-25 09:45:09",

No A record today

 

Choice Bank or First Choice

Namesilo

Documentcloud[.]pw

"created": "2020-10-14 15:27:34",

 

45.9.148[.]22

"documentcloud[.]pw",

        "small-url[.]cc"

c81a8bd1f9cf6d84c525f378ca1d3f8c30770e34

“e141bcb13dc92fa31a1e0b35e408f0167620b214” also used for fisskens[.]com

“2b8adb751fe01a2c04e95c726610b06e212da9c3” for cn brand[.]url

 

 

 

No PTR

"asname": "NICEIT, DM",

 

Adobe or sharepoint

Namesilo

rbscotland-online[.]com

 

 

45.9.148[.]108

"fingerprint_sha1": "4d160b999632d3c16a9177bb7f68526c82e6f146",

"domains": [

        "rbscotland-online[.]com",

        www.rbscotland-online[.]com

 

Recent resolution

31.220.2[.]142

"subnet_reputation_score": 38

ip_ptr": "rbsuk-online[.]com",

 

 

"ip_ptr": "mx1.dendrite.network",

 

Royal Bank Of Scotland part of RBS Group

Fortinet

spam

 

Namesilo

Btctools[.]net 

 

45.9.148[.]108

"asn_takedown_reputation_score": 81,

      "asname": "NICEIT, DM",

Ssl cert 26b57a753c9081adcda72548da8a123a8e06aaab

Cn 00000-defaultsite[.]tld,

 

 

"ip_ptr": "mx1.dendrite.network",

 

Bit coin mining

Namesilo

gb-kpmg[.]com 

"whois_age": 73,

    "whois_created_date": "2020-10-17 07:47:12",

 

No live a record

 

 

KPMG

Listed by spamhaus

namesilo

secure-id[.]cloud

"whois_age": 153,

    "whois_created_date": "2020-07-30 06:46:37",

 

 

45.9.148[.]22

"asn_takedown_reputation_score": 81,

      "asname": "NICEIT, DM",

"ns_entropy": 4,

"cousins": [

      "*.docsx[.]cloud",

      "*.secure-id[.]cloud",

      "autodiscover.secure-id[.]cloud",

      "cpanel.secure-id[.]cloud",

      "secure-id[.]cloud",

      "server.secure-id[.]cloud",

      "sub.secure-id[.]cloud"

Ssl certs

c81a8bd1f9cf6d84c525f378ca1d3f8c30770e34

C=US, ST=New Jersey, L=Jersey City, O=The USERTRUST Network, CN=USERTrust RSA Certification Authority

Reused-33488

 

e141bcb13dc92fa31a1e0b35e408f0167620b214

Names

Fisskens[.]com
www.fisskens[.]com

reuse count 1 IP

2b8adb751fe01a2c04e95c726610b06e212da9c3

Names

server.brandurl[.]cloud

Reuse count 1 IP

2b8adb751fe01a2c04e95c726610b06e212da9c3

Names

server.brandurl[.]cloud

Reuse count 1 IP

 

 

No PTR

"asname": "NICEIT, DM",

 

Secure ID

namesilo

service-ca-verification[.]com

"age": 255,

 

 

45.9.148[.]162

"asn_takedown_reputation_score": 83,

      "asname": "NICEIT, DM",

 

Ssl certs

fae1b4e4b55d6907ec4fdbaa0acdd9eb98e28163

 

2b8f1b57330dbba2d07a6c51f70ee90ddab9ad8e

Trusted Root certificate

"ssl_cert_reuse_count": 305082

 

 

1315cc4ba49a2913b02ed7fb9f5a9937edfd472e

Names

*.quickex[.]io
quickex[.]io

"ssl_cert_reuse_count": 1

 

 

 

33e4e80807204c2b6182a3a14b591acd25b5f0db

ssl_cert_reuse_count": 1800764

O=The USERTRUST Network, CN=USERTrust RSA Certification Authority

 

 

No PTR

 

Spamhaus

Phishing

 

 

 

Ssl cert for quickex[.]io on the same IP has had a virus detection related to it in the past

namesilo

Fisskens[.]com

Added due to cert mentioned above

 

Detected for Phishing by Spamhaus

 

Teamtnt[.]red

"age": 324,

 

45.9.148[.]108

"asn_takedown_reputation_score": 81,

      "asname": "NICEIT, DM",

Ssl cert 26b57a753c9081adcda72548da8a123a8e06aaab

Cn 00000-defaultsite[.]tld,

 

 

"ip_ptr": "mx1.dendrite.network",

 

https://www.securityweek.com/crypto-mining-worm-targets-aws-credentials

 

"source_date": "Sat, 02 May 2020 20:07:10 GMT",

       "source_link": "https://urlhaus.abuse.ch/url/356414/",

        "status": "online",

        "tags": "elf,tsunami",

        "url": "http://teamtnt[.]red/load/dns3",

        "verdict": "malware_download"

 

"source_link": "https://urlhaus.abuse.ch/url/356415/",

        "status": "online",

        "tags": "elf,tsunami",

        "url": "http://teamtnt[.]red/load/dns3_32bit",

        "verdict": "malware_download"

 

namesilo

 

 

So just touching on these two groups based on similarities, these of course could be one group, this Nameserver is very heavily used by malicious actors and definitely one threat actor group called Team TNT.

How can I use this information?

All the information above was collected by our API and can be leveraged for threat hunting or detections. The information is pre-collected and cached so new lookups don’t have to be done each time you have a new indicator to check. We’ve already collected all this information and run some analysis on it to give things like reputation scores for the nameserver, the AS number reputation, the subnet reputation etc.

A security team can use Yara rules over this information to try and find “High Value Malicious Domains “ in their logs or associated IP addresses.