|
||
|
||
The infamous gray hat security company Ashiyane Digital Security Team has gone back online in 2021. At that time, WhoisXML API threat researcher Dancho Danchev exposed more than 100 domains belonging to the group. This analysis was recently expanded to further explore the Iran-based threat group’s Internet-connected infrastructure. Our findings include:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
The investigation began with a Gmail email address associated with the Ashiyane Digital Security Team. With the help of Reverse WHOIS API, 441 domain names registered using the email address were found.
An extensive portfolio of 10,968 domains was also uncovered and considered related to the threat group. The properties are part of a domain privacy protection service believed to be managed by the Ashiyane Digital Security Team.
Our analysis focused on retrieving as much information about the group’s infrastructure as possible, including lexical usage, administrative details, presence in malware engine databases, and website content.
A bulk IP lookup for the domains we uncovered revealed that only about 35% currently resolve to different IP addresses. The top Internet service provider (ISP) is Limestone Networks, accounting for 21.3% of the domain resolutions. It is followed by Amazon, EGIHosting, Team Internet, Linode, Nforce Entertainment, Leaseweb, Peg Tech, Nocix, and Centrilogic. The rest of the domains are distributed across 164 other ISPs.
In general, the domains are administered by domain privacy protection services. More than half of them use Media Elite Holdings Limited as registrar and employ the services of Fundacion Privacy Services Ltd. The other top registrars include eName, DropCatch, Sav.com, GoDaddy, OwnRegistrar, GMO Internet, NameSilo, Alibaba, and Namecheap.
Despite being directly associated with the Ashiyane Digital Security Team, only about 1% of the properties have been flagged as malicious by various malware engines.
We analyzed the most common text strings and top-level domains (TLDs) used in the domains connected to the Ashiyane Digital Security Team, as this can help security teams focus on what to look out for.
Despite having thousands of TLD options, the domains in the study only use 13 TLDs. Close to 91% use the .com extension, while about 8% fall under the .net TLD. The remaining domains use .ir, .org, .info, .us, .xyz, biz, .me, .co, .asia, .wtf, or .pro.
While generic terms, such as “free,” “online,” and “shop,” are used, you can also see geographically targeted strings like “usa,” “uk,” and “ny.” These are reflected in the word cloud below.
The repeated appearance of “xn” suggests that several properties in the group’s network are internationalized domain names (IDNs). Many of them also use TLDs within the second-level domains (SLDs), such as wwwnew47com[.]com, linkedincom[.]com, richlifeco[.]com, and ashiyane-co[.]com.
We analyzed the content of actively resolving domains using Website Screenshot API. Several are either parked or hosted index and 404 pages. Others host or redirect to pages with gambling, adult, e-commerce, and news content.
Some interesting and possibly malicious content we found are shown below. The domains and their hosted content seem to impersonate legitimate businesses, such as Apple, Intuit, PayPal, and Walmart.
Proactively monitoring digital properties connected to the Ashiyane Digital Security Team and other threat groups can be done by examining publicly available indicators of compromise (IoCs) and looking for shared DNS and WHOIS characteristics.
If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.
Sponsored byCSC
Sponsored byVerisign
Sponsored byRadix
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byDNIB.com
A World-Renowned Source for Internet Developments. Serving Since 2002.