Tips for Investigating Cybercrime Infrastructure

-

I'm surprised this is my first blog of 2023, but I have been more busy than usual. My work at the Equinix Threat Analysis Center (ETAC) has been very engaging and when I'm not chasing cyber bad guys with ETAC I'm writing down how to do it as I'm developing SANS FOR589: Cybercrime Intelligence

While researching packers and crypters (that are used to obfuscate malware code, like VMProtect or UPX), I came across a site in the search results billing itself as a generic "FUD Crypter" as-a-Service type offering (FUD = Fully Undetectable in cybercriminal lingo). The website "fudcrypter[.]io" is still online and looks pretty amateurish to me and was ripe for investigating.

Figure 1: Screenshot of the FUD Crypter website

I navigated around the site and hovered over some of the buttons and found redirects to another website called "data-encoder[.]com". This second site, however, was offline at the time I tried to visit it. But using a coveted CTI analyst tool I like to call the Wayback Machine I was able to see what it looked like. 

Figure 2: Screenshot of the Data Encoder website

I then decided to compare the Whois information between the two sites and, sure enough, there was a similar pattern that I could use to deduce both were most likely created by the same threat actor due to several factors; namely: use of the same domain registration services and hiding behind the Cloudflare CDN (more on that later).

Figure 3: Comparing the Whois data of the two sites

I wanted to find out more about FUDcrypter and Data-Encoder sites so I turned to some of my favourite Internet scanning services Shodan and Censys (two tools I believe any good CTI analyst should be well-acquainted with). I was not able to find much for data-encoder as the site had been down for a while it seems. But I did get lucky with the FUDcrypter site. I used Censys Search to find systems with the domain in the DNS settings.

Figure 4: DNS search in Censys for FUDcrypter

Eagle-eyed CTI analysts may have already noticed there are two results for FUDcrypter site, one for Cloudflare and one that's not on a Cloudflare IP. This is exactly the type of win we need when investigating cybercriminal infrastructure. Now we know what services the cybercriminals use to host their sites which are then put behind the Cloudflare CDN. To be clear, the CDN has not been bypassed but a misconfiguration (f*ck up) by the cybercriminals here has enabled us to be able to gather a lot more information about their infrastructure. We now know the operators of FUDcrypter do use Stark Industries (AS44477) virtual private servers (VPSs) to host their site. 

Figure 5: Raw JSON Censys scan data of Stark Industries VPS hosting the site

Again, those with superior vision may have already noticed that in the JSON output of the Censys search for the IP address is a subdomain "btcpay[.]fudcrypter[.]io", which is used by the operators of the crypter service to accept payment in Bitcoin for their crimeware. This is the type of common mistake cybercriminals make that as investigators we should be looking for to leverage to track campaigns and use to support takedowns and law enforcement investigations. 

Figure 6: Leaf data from Censys Search scans of the IP address

For bonus points, we can also pivot off of one of the other artifacts in the scan data. This includes the Windows Endpoint Hostname "DESKTOP-2NFCDE2" of the VPS used to host the site. It is possible to potentially identify other types of cybercriminal infrastructure potentially related to the same threat actor or related to the same service that is used by threat actors to host their malware C2s and other types of sites (like FUDcrypter).

Figure 7: Shodan Search for Windows Endpoint Hostname

Pivoting into Shodan scan data, it is possible to search for other VPS instances with the identical Windows Endpoint Hostname. Keen CTI analysts may have already spotted that STARK INDUSTRIES SOLUTIONS LTD makes up the majority of these, but interestingly some other VPS leasing services also appear, dispersed between Germany, Russia, and the US. I then took this list of IP addresses with the same Hostnames and did manage to find some malware C2 servers using it. 

Figure 8: Aurora Stealer C2 panel using "DESKTOP-2NFCDE2"

I took the list of IP addresses with the same Hostname from Shodan and searched them against sources of publicly reported malware C2 IP addresses. I was able to find several matches, including two Aurora Stealer C2 panels, two RecordBreaker Stealer payload stagers, and an njRAT payload stager using this relatively simple trick.

Figure 9: FUDcrypter private STUB service  

When I found the njRAT C2 server I looked at the VirusTotal relations of the IP and found an njRAT sample compiled in January 2023 called "Stub.exe". I did not confirm if it was packed with FUDcrypter/Data-Encoder, however, the service did have several mentions of a "private STUB" for "users wants to be particular [sic]". The private STUB service was allegedly updated every day and was unique for the cybercriminal who pays for it. Interestingly, it also came with a customer support ticketing system via email or Discord and the FUDcrypter operators even claimed they could connect to the customer's system using TeamViewer or AnyDesk remote monitoring and management (RMM) tools to provide them support. 

In closing, this blog was fun to put together and I will admit that I wrote it on my laptop from my bed after an evening session with my local 2600 crew. Hopefully this will inspire other curious threat intel analysts who also enjoy snooping on cybercriminal infrastructure.

See you around, Netrunners

References

https://web.archive.org/web/20230228040437/https://fudcrypter.io/

https://web.archive.org/web/20210517004154/https://data-encoder.com/

https://search.censys.io/search?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=dns.names%3AFUdCrypter.io

https://search.censys.io/hosts/94.131.111.198

https://search.censys.io/hosts/94.131.111.198/data/json?resource=hosts&sort=RELEVANCE&per_page=25&virtual_hosts=EXCLUDE&q=dns.names%3AFUdCrypter.io&at_time=2023-03-02T09%3A03%3A44.136Z

https://www.shodan.io/search?query=DESKTOP-2NFCDE2

https://blog.cyble.com/2023/01/18/aurora-a-stealer-using-shapeshifting-tactics/


Indicators of Compromise (available inside the links)

https://urlscan.io/result/e3de1fbb-d146-49fd-a78e-5471b73d86f4/

https://urlscan.io/result/b9fe896e-b3ba-4142-bc9c-50dd699484a3/

https://twitter.com/1ZRR4H/status/1593377638504087553?s=20

https://www.virustotal.com/gui/ip-address/91.109.178.9

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

-
Image
Logo credit: RedCanary Ever since it first appeared in late 2021, the Raspberry Robin malware campaign has been propagating globally. A number of threat intelligence reports by vendors such as RedCanary (who named it) and Microsoft (who track it as DEV-0856/Storm-0856) have covered the malware campaign in great detail.  In fact, the list of blogs I do recommend to read to catch up on this threat are as follows: https://redcanary.com/blog/raspberry-robin https://www.microsoft.com/en-us/security/blog/2022/10/27/raspberry-robin-worm-part-of-larger-ecosystem-facilitating-pre-ransomware-activity https://blog.sekoia.io/raspberry-robins-botnet-second-life/ https://decoded.avast.io/janvojtesek/raspberry-robins-roshtyak-a-little-lesson-in-trickery/ https://research.checkpoint.com/2023/raspberry-robin-anti-evasion-how-to-exploit-analysis/ https://securityintelligence.com/posts/raspberry-robin-worm-dridex-malware/ https://blogs.cisco.com/security/raspberry-robin-highly-evasive-worm-spreads-over-e
Read more

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

-
Image
After tracking the cybercrime threat landscape on a day-to-day basis for over four years now, it’s not that often anymore that something surprises me. But the latest trend of a suspected English-speaking big game hunting cybercriminal group, tracked under the moniker as Scattered Spider by CrowdStrike or 0ktapus by Group-IB, teaming up with a Russian-speaking ransomware group known as BlackCat (or ALPHV) has caught my attention. Background on Scattered Spider CrowdStrike introduced Scattered Spider in December 2022 and shared an update in January 2023 . These financially motivated English-speaking threat actors are known for their unique style of attacks, which usually all begin the same way, either via an SMS phishing message to harvest credentials or via an old school (yet still very effective) social engineering vishing call to get credentials or get the target to download malicious software and provide access. Other tricks Scattered Spider is known for includes multi-factor
Read more

Lessons from the iSOON Leaks

-
Image
  Introduction A Chinese Ministry of Public Security (MPS) contractor called  iSOON (also known as Anxun Information) that  specializes in network penetration research and related services has had its data leaked to GitHub. Based on the level of detail, leaked chat logs, amount of data, and corroboration from overlaps indicators of compromise (IOCs), there is a high level of confidence it is legit. Preliminary findings from less than one week since the leak revealed that it contains unprecedented insights into how the Chinese MPS operates by using Chinese commercial surveillance vendors and what their technical capabilities are. The Chinese MPS is China’s internal security service that primarily focuses on  internal and border security, counter-terrorism, surveillance. The MPS is comparable to the  Russian FSB, the US DHS or the UK’s MI5. The most interesting findings have come from iSOON’s product whitepapers and confidential slide deck presentations given to their MPS clients. About
Read more