Tips for Investigating Cybercrime Infrastructure

I'm surprised this is my first blog of 2023, but I have been more busy than usual. My work at the Equinix Threat Analysis Center (ETAC) has been very engaging and when I'm not chasing cyber bad guys with ETAC I'm writing down how to do it as I'm developing SANS FOR589: Cybercrime Intelligence

While researching packers and crypters (that are used to obfuscate malware code, like VMProtect or UPX), I came across a site in the search results billing itself as a generic "FUD Crypter" as-a-Service type offering (FUD = Fully Undetectable in cybercriminal lingo). The website "fudcrypter[.]io" is still online and looks pretty amateurish to me and was ripe for investigating.

Figure 1: Screenshot of the FUD Crypter website

I navigated around the site and hovered over some of the buttons and found redirects to another website called "data-encoder[.]com". This second site, however, was offline at the time I tried to visit it. But using a coveted CTI analyst tool I like to call the Wayback Machine I was able to see what it looked like. 

Figure 2: Screenshot of the Data Encoder website

I then decided to compare the Whois information between the two sites and, sure enough, there was a similar pattern that I could use to deduce both were most likely created by the same threat actor due to several factors; namely: use of the same domain registration services and hiding behind the Cloudflare CDN (more on that later).

Figure 3: Comparing the Whois data of the two sites

I wanted to find out more about FUDcrypter and Data-Encoder sites so I turned to some of my favourite Internet scanning services Shodan and Censys (two tools I believe any good CTI analyst should be well-acquainted with). I was not able to find much for data-encoder as the site had been down for a while it seems. But I did get lucky with the FUDcrypter site. I used Censys Search to find systems with the domain in the DNS settings.

Figure 4: DNS search in Censys for FUDcrypter

Eagle-eyed CTI analysts may have already noticed there are two results for FUDcrypter site, one for Cloudflare and one that's not on a Cloudflare IP. This is exactly the type of win we need when investigating cybercriminal infrastructure. Now we know what services the cybercriminals use to host their sites which are then put behind the Cloudflare CDN. To be clear, the CDN has not been bypassed but a misconfiguration (f*ck up) by the cybercriminals here has enabled us to be able to gather a lot more information about their infrastructure. We now know the operators of FUDcrypter do use Stark Industries (AS44477) virtual private servers (VPSs) to host their site. 

Figure 5: Raw JSON Censys scan data of Stark Industries VPS hosting the site

Again, those with superior vision may have already noticed that in the JSON output of the Censys search for the IP address is a subdomain "btcpay[.]fudcrypter[.]io", which is used by the operators of the crypter service to accept payment in Bitcoin for their crimeware. This is the type of common mistake cybercriminals make that as investigators we should be looking for to leverage to track campaigns and use to support takedowns and law enforcement investigations. 

Figure 6: Leaf data from Censys Search scans of the IP address

For bonus points, we can also pivot off of one of the other artifacts in the scan data. This includes the Windows Endpoint Hostname "DESKTOP-2NFCDE2" of the VPS used to host the site. It is possible to potentially identify other types of cybercriminal infrastructure potentially related to the same threat actor or related to the same service that is used by threat actors to host their malware C2s and other types of sites (like FUDcrypter).

Figure 7: Shodan Search for Windows Endpoint Hostname

Pivoting into Shodan scan data, it is possible to search for other VPS instances with the identical Windows Endpoint Hostname. Keen CTI analysts may have already spotted that STARK INDUSTRIES SOLUTIONS LTD makes up the majority of these, but interestingly some other VPS leasing services also appear, dispersed between Germany, Russia, and the US. 
I then took this list of IP addresses with the same Hostnames and did manage to find some malware C2 servers using it. 

Figure 8: Aurora Stealer C2 panel using "DESKTOP-2NFCDE2"

I took the list of IP addresses with the same Hostname from Shodan and searched them against sources of publicly reported malware C2 IP addresses. I was able to find several matches, including two Aurora Stealer C2 panels, two RecordBreaker Stealer payload stagers, and an njRAT payload stager using this relatively simple trick.

Figure 9: FUDcrypter private STUB service  

When I found the njRAT C2 server I looked at the VirusTotal relations of the IP and found an njRAT sample compiled in January 2023 called "Stub.exe". I did not confirm if it was packed with FUDcrypter/Data-Encoder, however, the service did have several mentions of a "private STUB" for "users wants to be particular [sic]". The private STUB service was allegedly updated every day and was unique for the cybercriminal who pays for it. Interestingly, it also came with a customer support ticketing system via email or Discord and the FUDcrypter operators even claimed they could connect to the customer's system using TeamViewer or AnyDesk remote monitoring and management (RMM) tools to provide them support. 

In closing, this blog was fun to put together and I will admit that I wrote it on my laptop from my bed after an evening session with my local 2600 crew. Hopefully this will inspire other curious threat intel analysts who also enjoy snooping on cybercriminal infrastructure.

See you around, Netrunners


Indicators of Compromise (available inside the links)

Popular posts from this blog

Raspberry Robin: A global USB malware campaign providing access to ransomware operators

Tracking Adversaries: Scattered Spider, the BlackCat affiliate

Lessons from the iSOON Leaks