A few weeks back, we added unpublicized artifacts to the list of indicators of compromise (IoCs) published by both FireEye and Open Source Context back in December 2020. Some would have thought that would put a stop to the havoc the SolarWinds threat actors have been wreaking, but the group targeted Malwarebytes just recently according to a company report.

As we have done before, this post sought to expand the list of published additional IoCs using a variety of domain and IP intelligence tools.

Additional IoCs According to CISA

Apart from some IoCs publicized in December 2020, the Cybersecurity & Infrastructure Security Agency (CISA) published the following additional data points, among others, on 6 January 2021:

• Three newly discovered domains (i.e., ervsystem[.]com, infinitysoftwares[.]com, and mobilnweb[.]com)
• Two IP addresses that two of the newly discovered domains resolved to (i.e., 107[.]152[.]35[.]77—infinitysoftwares[.]com and 198.12.75[.]112—ervsystem[.]com)

What We Discovered about the Additional IoCs

Additional Domain List Expansion

We subjected the three domain additions to WHOIS lookups (including WHOIS history) and found that:

• The domains were, like the previously publicized ones, relatively aged, ranging from 1—3 years old. Ervsystem[.]com was registered on 4 February 2018, infinitysoftwares[.]com on 28 January 2019, and mobilnweb[.]com on 28 September 2019. This strategy could be part of the attackers’ attempt to evade the usual security protocol of blocking access to and from newly registered domains (NRDs).
• All three domains’ WHOIS records are privacy-protected albeit by varying organizations (i.e., ervsystem[.]com by Anonymize, Inc., infinitysoftwares[.]com by PrivacyGuardian.org, and mobilnweb[.]com by WhoisGuard, Inc.). Since the domains were not new, they all had previous owners, some of which were named, although they are probably domainers, given the number of domains the registrants owned.
• The three domains each had a different registrar (i.e., ervsystem[.]com—Epik, Inc., infinitysoftwares[.]com—NameSilo LLC, and mobilnweb[.]com—Namecheap, Inc.).
• Two of the three domains (i.e., ervsystem[.]com and infinitysoftwares[.]com) were registered in the U.S. while mobilnweb[.]com was registered in Panama.

To see if additional artifacts could be added to the updated list of IoCs CISA published, we queried the newly added domains on DNS Lookup API. Our findings are listed below.

• The three domains were connected to 11 IP addresses, nine of which are not included even in CISA’s updated IoC list. These nine IP addresses are:
  • 85[.]17[.]31[.]82
  • 85[.]17[.]31[.]122
  • 178[.]162[.]203[.]202
  • 178[.]162[.]203[.]211
  • 178[.]162[.]203[.]226
  • 178[.]162[.]217[.]107
  • 5[.]79[.]71[.]205
  • 5[.]79[.]71[.]225
  • 172[.]97[.]71[.]162

• Six of the nine additional IP addresses listed above are tagged “malicious” on VirusTotal. These are:

  • 85[.]17[.]31[.]82
  • 178[.]162[.]203[.]202
  • 178[.]162[.]203[.]226
  • 178[.]162[.]217[.]107
  • 5[.]79[.]71[.]205
  • 5[.]79[.]71[.]225

To find out more about the additional IP addresses we uncovered, we subjected them to reverse IP/DNS lookups, which revealed that:

• All of the six malicious IP addresses cited above were connected to at least 300 domains each.
• Interestingly, they all resolved to the malicious domain 0-0-0-0-0-0-0-0-0-0-0-0-0-10-0-0-0-0-0-0-0-0-0-0-0-0-0[.]info.

As this post showed, further scrutiny of IoCs using domain and IP/DNS intelligence tools can uncover more artifacts. That said, organizations may not need to stop at including publicized IoCs to their blacklists and can strive to cover as many potential additional attack vectors where possible.

If you’re a security researcher, architect, or product developer working toward making the world safe from threats, contact us if you want to know more about the artifacts mentioned in this post or just want to collaborate with us for any security research initiative.