MoqHao Part 1: Identifying Phishing Infrastructure

Cyber Reconnaissance with Team Cymru's Pure Signal™ Platform


In mid-January, Twitter users @NaomiSuzuki_ and @KesaGataMe0 identified nearly 20 malicious phishing domains spoofing AEON Bank in Japan. The domains were tied to MoqHao, a malware family targeting Android OS devices, primarily in Japan, South Korea, and Taiwan:



Figure 1 – Seed Twitter Post


PASSIVE DNS DATA

Using Team Cymru’s Pure Signal Platform, we performed a wildcard search for domains using the pattern of ‘t.aeo*.com’. This search identified all of the domains and the hosting IP addresses previously found by @NaomiSuzuki_ and @KesaGataMe0.

IP Address

AS Name

Hostname

First Seen

103.75.189.31

Gigabit Hosting, MY

2021-01-07

103.75.189.31

Gigabit Hosting, MY

2021-01-07

104.27.180.110

Cloudflare, US

2021-01-11

104.27.180.110

Cloudflare, US

2021-01-11

104.27.188.38

Cloudflare, US

2021-01-11

104.27.188.38

Cloudflare, US

​2021-01-11

172.67.199.42

Cloudflare, US

2021-01-11

172.67.215.77

Cloudflare, US

2021-01-11

178.132.7.109

WorldStream, NL

2021-01-15

188.213.49.231

Parfumuri Femei, RO

2021-01-13

20.48.114.7

Microsoft, US

2021-01-15

20.48.114.7

Microsoft, US

2021-01-14

20.48.114.7

Microsoft, US

2021-01-15

213.183.48.212

Melbicom, LT

2021-01-08

216.189.159.35

HostUS, US

2021-01-07

216.189.159.35

HostUS, US

2021-01-07

216.189.159.35

HostUS, US

2021-01-08

27.100.36.35

HostUS, AU

2021-01-07

40.74.72.100

​Microsoft, US

2021-01-12

40.74.72.100

Microsoft, US

2021-01-11

45.121.147.170

Gigabit Hosting, MY

2021-01-11

45.121.147.170

Gigabit Hosting, MY

2021-01-14

45.121.147.170

Gigabit Hosting, MY

2021-01-15

45.121.147.170

Gigabit Hosting, MY

2021-01-13


45.121.147.242

Gigabit Hosting, MY

2021-01-15

45.121.147.242

Gigabit Hosting, MY

2021-01-18

45.121.147.50

Gigabit Hosting, MY

2021-01-08

45.121.147.50

Gigabit Hosting, MY

2021-01-08

45.58.52.60

HostUS, US

2021-01-08

45.58.52.60

HostUS, US

2021-01-08

51.83.247.167

OVH, FR

2021-01-18


Table 1 – Domains Spoofing Aeon Bank


From this list we can see that several of the IP addresses were used to host two or more domains:


IP Address

AS Name

45.121.147.50

Gigabit Hosting, MY

45.58.52.60

HostUS, US

103.75.189.31

Gigabit Hosting, MY

216.189.159.35

HostUS, US

45.121.147.242

Gigabit Hosting, MY

45.121.147.170

Gigabit Hosting, MY

20.48.114.7

Microsoft, US

40.74.72.100

Microsoft, US


Table 2 – IP Addresses Hosting Multiple Phishing Domains


Performing a passive DNS search on these IP addresses identifies another pattern of spoofed domains, this time targeting Japan’s The 77 Bank, Ltd.


By performing another wildcard domain search for ‘77*bnk.com’ we identified the following:

IP Address

AS Name

Name Queried

Min of Timestamp

103.75.189.31

Gigabit Hosting, MY

2021-01-07

104.27.180.251

Cloudflare, US

2021-01-12

104.27.181.251

Cloudflare, US

2021-01-12

172.67.158.54

Cloudflare, US

2021-01-12

216.189.159.35

HostUS, US

2021-01-08

27.100.36.35

HostUS, AU

2021-01-05

27.100.36.35

HostUS, AU

2021-01-06

Table 3 – Domains Spoofing The 77 Bank


Several of these domains, including 77cbnk.com, 77bbnk.com, and 77bac.com were already observed by Twitter sleuths @NaomiSuzuki_ and @KesaGataMe0.


Note: A domain spoofing Japan’s Jibun Bank, ‘t.auznw.com’ was also hosted on 45.121.147.242, but we couldn’t find any more domains that followed the same pattern. Likewise, the domains ‘aetvk.com’, ‘aenbv.com’, ‘aeenm.com’, and ‘aenvv.com’ were also used to spoof AEON Bank (using a slightly different naming pattern) but did not lead to any additional discoveries.


X.509 DATA

Looking at our X.509 certificate records, we find one certificate hosted on IP address 40.74.72.100:

Field

Value

​Subject DN

Issuer DN

C=US, O=Let’s Encrypt, CN=R3

Serial

0xeeb4ec0ef406cb854ddffb1c9fd2276c

Validity

2021-01-11 07:49:38 to 2021-04-11 07:49:38 (90 days)

SHA-1

c2029fa68bfa34fefc4ac48360434989122f1348

Table 4 – x509 Certificate Associated with aeoob.com



None of the other domains appeared to have an associated certificate, so it is unknown why the domain ‘aeoob.com’ is the exception. Nonetheless, it’s an additional data point to look out for in the future.

NETFLOW DATA

Looking at netflow, we see over 250 unique Japanese IP addresses connecting over TCP port 443 (HTTPS) to the IP addresses in Table 2. The connecting IP addresses are all registered to Softbank, NTT, OPTAGE, or NTT Docomo, indicating they are likely residential customers. The vast majority of overall TCP/443 traffic to these IP addresses came from Japan, so the traffic likely represents victims who fell prey to the phishing campaign.


The actors appear to have covered their tracks carefully. A high percentage of the netflow traffic directed at five of the eight IP addresses listed in Table 2 came from 210.140.10.24 (IDC Frontier Inc., JP) and 45.114.130.4 (EHOSTIDC, KR), both of which are Tor exit nodes.



Figure 2 – Top Communicating IP Addresses in NetFlow Data


While we can’t draw any further conclusions as to attribution of this activity at this stage, with Team Cymru’s Pure Signal platform we can continue to monitor new spoofed banking domains and IP addresses as they appear.

0 comments

Recent Posts

See All