SecurityScorecard published a report on a cyber attack that a U.S. county victim announced on 11 September 2022. With ransomware attacks against local government units increasing in the past few years, WhoisXML API researchers decided to build on the list of IP addresses related to the attacks. Our findings include:

• One of the IP addresses tagged as an indicator of compromise (IoC) resolved to one domain.
• The connected domain’s deep WHOIS history pointed us to more than 4,000 additional artifacts, some of which have already figured in malicious campaigns.
• The Cryxos trojan IoCs currently resolving to domains were mostly geolocated in Europe.
• We found more than 390 domains connected to the Cryxos IoCs, several of which were subdomains of legitimate domains.
• Some of the subdomains connected to the Cryxos IoCs were malicious, including bank-related cybersquatting properties. Further expansion led us to hundreds of malicious domains targeting Chase Bank.

A sample of the additional artifacts obtained from our analysis is available for download from our website.

What We Know about the Attack

SecurityScorecard’s analysis of the network flow revealed three suspicious IP addresses communicating with victims’ vulnerable software and open ports. These communications happened in July, leading to a service disruption on 11 September 2022.

Several security engines flagged a couple of the IP addresses as malicious. Both of these were managed by Digital Ocean and geolocated in Hessen, Germany and New Jersey, U.S. The other IP address was geolocated in India.

IoC Analysis and Expansion

Reverse IP lookups on the IP addresses tagged as IoCs revealed that only 142[.]93[.]204[.]250 resolved to the domain johnharrisdesign[.]com. This IP address has been observed to carry out brute force attacks. SecurityScorecard also reported that the IP address transferred 352.26KB of data to one of the IP addresses.

The IP resolution was first seen in November 2019 and last updated in November 2022, a few weeks after its involvement in an attack. The domain has been associated with the malicious IP address since 2019 and around the time the attack occurred.

We followed the trail to expand the list of IoCs and find more suspicious web properties potentially connected to the actors behind the attack.

Gleaning Insights from WHOIS History

The current WHOIS record of johnharrisdesign[.]com is privacy protected. However, its historical WHOIS records revealed some consistent data., including the same registrant name, state, and country throughout its years-long history.

• Registrar: GoDaddy
• Registrant name: John Harris
• Registrant state or region: Pennsylvania
• Registrant country: U.S.

We also discovered a couple of unredacted registrant email addresses prior to WHOIS data redaction.

Uncovering Connected Domains

We found more than 4,400 domain names registered by the same entity at one point in time. While some of them may have coincidental connections since the registrant’s name is quite common, a bulk malware check on the properties revealed that some of them have already been weaponized.

Most of the malicious artifacts had deep WHOIS histories, allowing us to retrieve four unredacted email addresses. One of them was used to register more than 1,300 domains. It’s wise to pay attention to such artifacts since they are closely related to a confirmed malicious domain.

A bulk WHOIS lookup on the properties revealed that the domains were managed by various registrars despite being owned by the same registrant. The chart below shows their distribution based on registrar.

Beyond the Attack and into the Inner Workings of Cryxos

One way threat actors gain access to victims’ systems was via the Cryxos trojan. The malware facilitated callback phishing campaigns by alerting targets about fake malware infections. It then prompted users to call a phone number to fix the problem.

We analyzed the Cryxos IoCs published by several sources. According to IP geolocation lookups, seven of the nine currently resolving properties tagged as IoCs were geolocated in Europe.

Reverse DNS searches for the IoCs pointed us to more than 390 domains that shared their IP hosts. Most of the subdomains resided on dynamic DNS service domains, such as ddns[.]net, bounceme[.]net, and hopto[.]org.

Some of the subdomains were flagged as malicious during our malware check. They included those that appear to have used domain generation algorithms (DGAs). Some also imitated the digital properties of well-known financial institutions, specifically Chase Bank and Glacier Bank.

Expanding the List of Cryxos IoCs

Again, we followed the trail the DNS intelligence presented. Using Domains & Subdomains Discovery, we looked for subdomains bearing the string “chaseauthverify,” which was used in one of the malicious properties. We found 26 subdomains, about one-third of which have already figured in malicious campaigns.

Expanding our search to include web properties containing “chase,” “auth,” and “verify” in any order, we found 1,446 domains. A bulk malware check revealed that 36% of these subdomains or their root domains have already been weaponized.

Threat hunting may seem like a wild goose chase at the start, especially since threat actors are often stealth masters. In this investigation, for instance, we started with only three IP addresses tagged as IoCs in a U.S. county cyber attack. Only one of the IP addresses had a related domain, leading us to several malicious domains connected to the same registrant name.

Our investigation of the Cryxos trojan IoCs led to a similar scenario. Nine resolving IoCs led us to hundreds of malicious digital resources, possibly targeting Chase Bank and its clients.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.