Mapping out AridViper Infrastructure Using Recon’s Malware Module

Cyber Reconnaissance with Team Cymru's Pure Signal™ Platform


Twitter user @BaoshengbinCumt posted malware hash faff57734fe08af63e90c0492b4a9a56 on 27 November 2020, which they attributed to AridViper (APT-C-23 / GnatSpy)[i]. This user is a researcher for Qihoo and has previously reported on the activities of AridViper.



AridViper, also known as APT-C-23 and GnatSpy, are a group active within the Middle Eastern region, known in particular to target Israeli military assets.

The Augury Malware addon was used to map out further AridViper infrastructure, by pivoting from @BaoshengbinCumt’s malware seed sample.

Note – All pivots undertaken within this exercise are detailed in the below chart and within a table at the end of the page:



faff57734fe08af63e90c0492b4a9a56

This sample, a packed Windows executable, was dropped via a malicious document disguised as a Curriculum Vitae – likely delivered in a phishing campaign.

Sandboxing of the sample identified a POST request made to hostname judystevenson[.]info.

The first pivot within the Augury Malware addon was to therefore look for other malware samples that had communicated with the C2 judystevenson[.]info.

judystevenson[.]info

Eight further samples were identified using the judystevenson[.]info C2 that was identified from the initial seed sample:

6e2d058c3508694a392194dbb6e9fe44

835f86e1e83a3da25c715e89db5355cc

89e9823013f711d384824d8461cc425d

94a5e595be051b9250e678de1ff927ac

ae0b53e6b378bf74e1dd2973d604be55

c27f925a7c424c0f5125a681a9c44607

f5bac4d2de2eb1f8007f68c77bfa460e

f93faca357f9a8041a377ca913888565

When sandboxing these samples (as well as faff57734fe08af63e90c0492b4a9a56) it was noted that the malware dropped the following file – C:\ProgramData\GUID.bin. This file was then used as the next pivot point.




C:\ProgramData\GUID.bin

18 samples had dropped this file during their execution within a sandbox environment:

1eb1923e959490ee9f67687c7faec697

20d21c75b92be3cfcd5f69a3ef1deed2

3296b51479c7540331233f47ed7c38dd

471313cb47c6165ec74088fafb9a5545

4b96fecd0c6451b30619e6e836fe7ffa

4d9b6b0e7670dd5919b188cb71d478c0

8d50262448d0c174fc30c02e20ca55ff

90cdf5ab3b741330e5424061c7e4b2e2

9bb70dfa2e39be46278fb19764a6149a

9bc9765f2ed702514f7b14bcf23a79c7

9d76d59de0ee91add92c938e3335f27f

a7cf4df8315c62dbebfbfea7553ef749

c12b3336f5efc8e83fcace6f81b27642

c4a90110acd78e2de31ad9077aa4eff6

c7d7ee62e093c84b51d595f4dc56eab1

e35d13bd8f04853e69ded48cf59827ef

e8effd3ad2069ff8ff6344b85fc12dd6

edc3b146a5103051b39967246823ca09

Five C2s were identified, associated with the above samples:

escanor[.]live

jaime-martinez[.]info

krasil-anthony[.]icu

nicoledotson[.]icu

ruthgreenrtg[.]live

Further pivots were undertaken based on ImpHash values derived from these samples and the AV signature Win32/Revokery.J, identifying a further five associated samples:



09cd0da3fb00692e714e251bb3ee6342

142a25bb5fd4612c9f6afcaad34fce37

46871f3082e2d33f25111a46dfafd0a6

758e432ed759013e0d00723c3d2af0c6

7fcfb64b1383d0d73f32dbe365fe4fdb

In addition to the five hostnames referenced above, the following two C2s were also extracted from these samples:

benyallen[.]club

chad-jessie[.]info

Pivoting on C2 chad-jessie[.]info subsequently identified a further sample:




fc5b2c81debf30d251d5220097c2f846

Returning to the original sample (faff57734fe08af63e90c0492b4a9a56), the user agent string identified in the POST request was used as another pivot.

Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

A significant number of samples (approx. 600) were identified using this particular user agent string within C2 communications, therefore analysis focused on samples with a similar distinctive URL pattern to those samples already identified.




In undertaking this assessment, four samples were identified:

221c5982d545b4efb2cbee4e0597d154

947fd5f93c44807986f5663a739e0f46

f65e5bb6e35a3e28c2c878824293d939

f7a3f14ddbea80a1fe8653a8b71ce4df

Five C2s were identified, associated with the above samples:

jack-fruit[.]club

lordblackwood[.]club

angeladeloney[.]info

overingtonray[.]info

camilleoconnell[.]website

Pivoting on C2 angeladeloney[.]info subsequently identified a further three samples:

1d815939c4c4df5039185be9506ee88a

21aa63b42825fb95bf5114419fb42157

8b7ad86f74c3fb6d51e7cfb39fdd65be

A total of 40 malware samples were identified during this exercise, communicating with 13 C2s.

All pivots, identified samples and C2s are summarised in the below table:

Hash

C2

Association

Pivot

faff57734fe08af63e90c0492b4a9a56

judystevenson[.]info

Seed Sample

C2 – judystevenson[.]info

Drops – C:\ProgramData\GUID.bin

UA – Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

6e2d058c3508694a392194dbb6e9fe44

judystevenson[.]info

C2 – judystevenson[.]info

Drops – C:\ProgramData\GUID.bin

835f86e1e83a3da25c715e89db5355cc

judystevenson[.]info

C2 – judystevenson[.]info

Drops – C:\ProgramData\GUID.bin

ImpHash – 2b67b7d14d1479dd7935f326d05a34d2

89e9823013f711d384824d8461cc425d

judystevenson[.]info

C2 – judystevenson[.]info

Drops – C:\ProgramData\GUID.bin

94a5e595be051b9250e678de1ff927ac

judystevenson[.]info

C2 – judystevenson[.]info

Drops – C:\ProgramData\GUID.bin

ae0b53e6b378bf74e1dd2973d604be55

judystevenson[.]info

C2 – judystevenson[.]info

Drops – C:\ProgramData\GUID.bin

c27f925a7c424c0f5125a681a9c44607

judystevenson[.]info

C2 – judystevenson[.]info

Drops – C:\ProgramData\GUID.bin

f5bac4d2de2eb1f8007f68c77bfa460e

judystevenson[.]info

C2 – judystevenson[.]info

Drops – C:\ProgramData\GUID.bin

f93faca357f9a8041a377ca913888565

judystevenson[.]info

C2 – judystevenson[.]info

Drops – C:\ProgramData\GUID.bin

1eb1923e959490ee9f67687c7faec697

nicoledotson[.]icu

Drops – C:\ProgramData\GUID.bin

ImpHash – 5d8786b378c881f44443eb17940d6af6

20d21c75b92be3cfcd5f69a3ef1deed2

nicoledotson[.]icu

Drops – C:\ProgramData\GUID.bin

3296b51479c7540331233f47ed7c38dd

nicoledotson[.]icu

Drops – C:\ProgramData\GUID.bin

471313cb47c6165ec74088fafb9a5545

escanor[.]live

Drops – C:\ProgramData\GUID.bin

4b96fecd0c6451b30619e6e836fe7ffa

ruthgreenrtg[.]live

Drops – C:\ProgramData\GUID.bin

ImpHash – 2b67b7d14d1479dd7935f326d05a34d2

4d9b6b0e7670dd5919b188cb71d478c0

nicoledotson[.]icu

​Drops – C:\ProgramData\GUID.bin

ImpHash – 51e53e55ec7d8af56797a171159d5535

8d50262448d0c174fc30c02e20ca55ff

nicoledotson[.]icu

Drops – C:\ProgramData\GUID.bin

ImpHash – 5d8786b378c881f44443eb17940d6af6

90cdf5ab3b741330e5424061c7e4b2e2

nicoledotson[.]icu

Drops – C:\ProgramData\GUID.bin

ImpHash – 51e53e55ec7d8af56797a171159d5535

9bb70dfa2e39be46278fb19764a6149a

nicoledotson[.]icu

Drops – C:\ProgramData\GUID.bin

ImpHash – 51e53e55ec7d8af56797a171159d5535

9bc9765f2ed702514f7b14bcf23a79c7

nicoledotson[.]icu

Drops – C:\ProgramData\GUID.bin

ImpHash – 51e53e55ec7d8af56797a171159d5535

9d76d59de0ee91add92c938e3335f27f

krasil-anthony[.]icu

Drops – C:\ProgramData\GUID.bin

AV – Win32/Revokery.J

a7cf4df8315c62dbebfbfea7553ef749

nicoledotson[.]icu

Drops – C:\ProgramData\GUID.bin

ImpHash – 5d8786b378c881f44443eb17940d6af6

c12b3336f5efc8e83fcace6f81b27642

​ruthgreenrtg[.]live

​Drops – C:\ProgramData\GUID.bin

ImpHash – 2b67b7d14d1479dd7935f326d05a34d2

c4a90110acd78e2de31ad9077aa4eff6

jaime-martinez[.]info

Drops – C:\ProgramData\GUID.bin

​AV – Win32/Revokery.J

c7d7ee62e093c84b51d595f4dc56eab1

​nicoledotson[.]icu

​Drops – C:\ProgramData\GUID.bin

ImpHash – 51e53e55ec7d8af56797a171159d5535


e35d13bd8f04853e69ded48cf59827ef

​escanor[.]live

Drops – C:\ProgramData\GUID.bin

e8effd3ad2069ff8ff6344b85fc12dd6

nicoledotson[.]icu

Drops – C:\ProgramData\GUID.bin

edc3b146a5103051b39967246823ca09

nicoledotson[.]icu

Drops – C:\ProgramData\GUID.bin

ImpHash – 51e53e55ec7d8af56797a171159d5535

​09cd0da3fb00692e714e251bb3ee6342

nicoledotson[.]icu

​ImpHash – 51e53e55ec7d8af56797a171159d5535

46871f3082e2d33f25111a46dfafd0a6

nicoledotson[.]icu

ImpHash – 5d8786b378c881f44443eb17940d6af6

758e432ed759013e0d00723c3d2af0c6

ruthgreenrtg[.]live

ImpHash – 2b67b7d14d1479dd7935f326d05a34d2

142a25bb5fd4612c9f6afcaad34fce37

benyallen[.]club

chad-jessie[.]info

AV – Win32/Revokery.J

C2 – chad-jessie[.]info

7fcfb64b1383d0d73f32dbe365fe4fdb

​chad-jessie[.]info

AV – Win32/Revokery.J

C2 – chad-jessie[.]info

fc5b2c81debf30d251d5220097c2f846

chad-jessie[.]info

C2 – chad-jessie[.]info

221c5982d545b4efb2cbee4e0597d154

jack-fruit[.]club

lordblackwood[.]club

UA – Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

947fd5f93c44807986f5663a739e0f46

angeladeloney[.]info

​UA – Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

​C2 – angeladeloney[.]info

f65e5bb6e35a3e28c2c878824293d939

​overingtonray[.]info

UA – Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

f7a3f14ddbea80a1fe8653a8b71ce4df

camilleoconnell[.]website

UA – Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)

1d815939c4c4df5039185be9506ee88a

angeladeloney[.]info

C2 – angeladeloney[.]info

21aa63b42825fb95bf5114419fb42157

angeladeloney[.]info

C2 – angeladeloney[.]info

8b7ad86f74c3fb6d51e7cfb39fdd65be

angeladeloney[.]info

C2 – angeladeloney[.]info


Recent Passive DNS data was obtained for the identified hostnames, and is summarised in the table below:

Hostname

IP

Whois

198.54.114.246

NAMECHEAP-NET, US

benyallen.club

198.54.117.197

​NAMECHEAP-NET, US

198.54.116.43

NAMECHEAP-NET, US

escanor.live

198.187.29.152

NAMECHEAP-NET, US

jack-fruit.club

198.187.29.21

NAMECHEAP-NET, US

162.213.253.37

NAMECHEAP-NET, US

198.54.115.130

NAMECHEAP-NET, US

krasil-anthony.icu

​68.65.122.52

NAMECHEAP-NET, US

lordblackwood.club

198.54.116.157

NAMECHEAP-NET, US

nicoledotson.icu

198.54.117.200

NAMECHEAP-NET, US

104.219.248.45

NAMECHEAP-NET, US

ruthgreenrtg.live

199.188.200.253

NAMECHEAP-NET, US

The use of NameCheap infrastructure has been observed in previous analysis of this group[ii]. It is believed that in the case of camilleoconnell[.]website, the identified IP address (58.158.177[.]102UCOM ARTERIA Networks Corporation, JP) is not associated with the activities of AridViper.

[i] https://twitter.com/BaoshengbinCumt/status/1332186267295961089

[ii] https://research.checkpoint.com/2020/hamas-android-malware-on-idf-soldiers-this-is-how-it-happened/

0 comments

Recent Posts

See All