A Case Study on the Value of Threat Reconnaisance
The contents of this blog were shared with Team Cymru’s community partners in the first half of 2021 and were subsequently presented by our analysts at RISE Las Vegas (September 2021).
Much has been written about the role of webinjects in the evolution of banking trojans, facilitating the interception and manipulation of victim connections to the customer portals of a burgeoning list of targets which now includes e-commerce, retail, and telecommunications brands.
Previous community research has also the highlighted the emergence of third-party webinject panel “providers” within the underground economy. For example, the moniker Yummba has long been associated with the creation/maintenance of webinject panels favored by many of the most ubiquitous banking trojan families, including IcedID, QakBot and ZLoader.
In this blog we will explain how we were able to track webinject infrastructure used by multiple threat actors over a period of more than six months. Using the concept of ‘Threat Reconnaissance’ to stay ahead of new campaigns, we were able to identify panels as they were set up and therefore limit their impact on potential victims.
During investigations into IcedID (see our previous blog Tracking BokBot (a.k.a. IcedID) Infrastructure for further insights) in late 2020, a webinject panel used by the threat actors was identified hosted on agentsjs[.]com. A domain which at the time, based on Passive DNS information, resolved to 193.34.166[.]57 (assigned to SNEL, NL).
Whilst examining traffic to 193.34.166[.]57, UDP connections with 95.213.129[.]178 (assigned to SELECTEL, RU) were identified using symmetrical source/destination ports – consistently UDP/23985.
Pivoting to look at traffic associated with 95.213.129[.]178, further connections involving UDP/23985 were identified with fifteen other IP addresses within the 18.104.22.168/23 netblock. This activity was most recently observed on 9th January 2021.
95.213.129[.]178 was also observed connecting to the above referenced IP addresses on TCP/22 and TCP/443 – activity likely related to the setup and management of the panels.
Passive DNS information was used to enrich these IP addresses, as summarized in Table 1.
Through our botnet analysis efforts, we were able to link several of the domains contained in Table 1 to webinject panels attributable to specific threat actor groups; Dridex, IcedID and QakBot.
Our initial assessment of these findings was that 95.213.129[.]178 was being used as some form of management channel for these panels and given the attributions to multiple distinct campaigns, likely associated with a third-party webinject vendor.
However, from 10 January 2021 onwards, we did not observe any further communications of note involving this IP address.
We continued to monitor traffic associated with the 22.214.171.124/23 netblock, looking for similar UDP connections to known / unknown panels.
Commencing on 18 January 2021, we noticed connections involving 31.131.249[.]98 (also assigned to SELECTEL, RU) with a handful of ‘new’ IP addresses. These connections similarly used symmetrical ports – in this case consistently UDP/23743.
Between 18 January and 24 May 2021, we identified ten additional panels based on connections with 31.131.249[.]98. Of note was the apparent re-use of 193.34.167[.]248 (see Table 1) which had hosted huntinqton[.]net in November 2020 and then reappeared in March 2021 hosting outresult[.]com.
As was the case with 95.213.129[.]178, 31.131.249[.]98 was also further observed connecting to the above referenced IP addresses on TCP/22 and TCP/443.
As previously, passive DNS information was used to enrich these IP addresses (Table 2).
We were able to link several of the domains contained in Table 2 to webinject panels associated with IcedID and QakBot campaigns.
Given the apparent concentration of webinject panels hosted within the 126.96.36.199/23 netblock, as well as some apparent commonalities in domain naming convention:
frequent references to ‘cdn’ or ‘js’
references to terms associated with content and website delivery, e.g., ‘auth’, ‘fetch’, ‘query’, and ‘tags’
some targeting of specific financial entities, e.g., ‘huntinqton’ and ‘wellsoffice’
We decided to review passive DNS data for the entire netblock.
From a total of over 1,000 domains, a further 17 were highlighted as likely relevant to this analysis (Table 3).
As previously, we were able to link several of the domains contained in Table 3 to webinject panels associated with Dridex, IcedID and QakBot campaigns, additionally one of the domains was linked to ZLoader.
By identifying the upstream IP addresses described above and subsequently monitoring traffic, we were able to observe threat actor infrastructure being set up in the days and hours before it was used to target victims. This allowed us to work with our community partners to limit the impact on potential victims.
The concept of ‘Threat Reconnaissance’ that we seek to promote using our Pure Signal™ Recon platform, is the idea of proactively tracking threat actors so that Threat Intelligence becomes more than just a reactionary function.
By focusing on the webinjects element of the banking trojan attack model, we were able to apply this idea to multiple threat actor groups within the same reporting strand.
We hope that this research adds to the collective understanding of webinject panels, in particular how they are managed and distributed within the underground economy. Figure 2 (below) illustrates our understanding of how the operation described in this blog takes place.
Note that Figure 2 makes specific reference to 193.34.167[.]248 which, as previously mentioned, was used to host two webinject panels and was observed in connections with both 95.213.129[.]178 and 31.131.249[.]98.