Home / Industry

Gauging How Big a Threat Gigabud RAT Is Through an IoC List Expansion Analysis

Targeting governments the world over in cyber attacks is not a novel concept. Doing that using mobile apps, however, is quite new as a tactic. And that’s what Cyble researchers reported as Gigabud RAT’s modus operandi—trailing its sights on citizens of Thailand, the Philippines, and Peru who use government-owned institutions’ mobile apps.

The Cyble analysis identified 10 indicators of compromise (IoCs) for this threat—six malware hashes and four URLs. We stripped down the URLs to three domains and one IP address in hopes of identifying more artifacts that could assuage potential targets’ fears should the threat actors trail their sights on them. Our IoC list expansion exercise led to the discovery of:

  • Three IP addresses to which the domains resolved
  • 301 IP-connected domains, seven of which turned out to be malicious
  • 367 string-connected domains, eight of which have been dubbed malware hosts
  • 519 brand-connected domains, 11 of which were tagged malicious
  • A sample of the additional artifacts obtained from our analysis is available for download from our website.

    Uncovering Facts about Gigabud RAT Infrastructure

    WHOIS lookups for the domains identified as IoCs revealed interesting similarities, including that they all pointed to the U.S. as their registrant country and were newly registered—between November and December 2022. Interestingly, though, while the IoC cmnb9[.]cc was registered in the U.S., its IP host 18[.]143[.]123[.]20 was geolocated in Singapore.

    DNS lookups for the domains tagged as IoCs gave us three additional IP addresses—18[.]143[.]123[.]20, 104[.]21[.]41[.]159, and 172[.]67[.]148[.]55.

    Using these IP addresses as reverse IP/DNS lookup search terms allowed us to uncover 301 more possibly connected domains, as they shared the IoCs’ IP hosts. A bulk malware check for the artifacts showed that seven were malicious. Two of these dangerous properties should be avoided most since screenshot lookups revealed that they’re live—bestvpnshop[.]com (looks to be a shop selling virtual private network [VPN] services) and brandmybooks[.]com (seems like an online betting site).

    To further our search for more Gigabud RAT digital breadcrumbs, we used the unique strings found among the IoCs as Domains & Subdomains Discovery search terms (see the table below).

    IoCString Used as Search Term
    • lionaiothai[.]com
    • cmnb9[.]cc
    • bweri6[.]cc
    lionaiothai.
    cmnb*.
    bweri*.

    Our search led to the discovery of 367 domains, eight of which were confirmed to be malware hosts. Including these in blocklists is advisable.

    The Gigabud RAT analysis also mentioned eight organization targets—Banco de Comercio, Advice, Thai Lion Air, Shopee, SUNAT, DSI, BIR, and Kasikornbank. Using their names as Domains & Subdomains Discovery search terms (see the table below for the exact strings used) enabled us to find 519 additional domains, 11 of which were dubbed malware hosts. Note that we limited our search to those that began with the single strings and string combinations that started with the first term and contained the second one.

    Target OrganizationString Used as Search Term
    • Banco de Comercio
    • Advice
    • Thai Lion Air
    • Shopee Thailand
    • SUNAT
    • DSI (Department of Special Investigation Thailand)
    • BIR (Bureau of Internal Revenue Philippines)
    • Kasikornbank
    bancomercio.
    advice.+th
    lionairthai.
    shopee.
    sunat.
    dsi.+th
    bir.+ph
    kasikornbank.

    WHOIS record comparisons between the legitimate and potential typosquatting domains showed that only five of the 519 artifacts or less than 1% were owned by the organizations whose names appeared in them. Note, though, that we weren’t able to confirm the legitimacy of the Thai Lion Air, BIR, and Kasikornbank domains because their WHOIS records were redacted.

    Screenshot lookups for all the connected domains via IP host, string, and brand name showed that 217 continued to be accessible and host live content. Error, index, and blank pages, along with those whose domains are currently up for sale and under construction or repair, were excluded. Some looked to be game download, adult content, tutorial service provider, shopping, and business sites. Given their ties to the IoCs, they may at least be worth monitoring for signs of suspicious activity or compromise.

    At least three websites may warrant inclusion in blocklists since they host a video that would only play if users download a codec—a tried-and-tested cybercriminal tactic to spread malware.

    Sites that seem to be mimicking the target institutions, such as bancomercio[.]credit below should be blocked as well.


    Our expansion of four Gigabud RAT IoCs—three domains and one IP address—uncovered 1,190 yet-unpublished artifacts that could be connected to the threat, including 26 that turned out to be confirmed malware hosts. Organizations and individuals alike, particularly the clients of the target institutions, should be wary of clicking the look-alike domains as well as the possibly connected web properties. All of them could be sources of Gigabud RAT that steals banking credentials and records their screen content.

    If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.

    By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

    Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

    Visit Page

    Filed Under

    Comments

    Commenting is not available in this channel entry.
    CircleID Newsletter The Weekly Wrap

    More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

    I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

    VINTON CERF
    Co-designer of the TCP/IP Protocols & the Architecture of the Internet

    Related

    Topics

    New TLDs

    Sponsored byRadix

    Brand Protection

    Sponsored byCSC

    Cybersecurity

    Sponsored byVerisign

    Threat Intelligence

    Sponsored byWhoisXML API

    Domain Names

    Sponsored byVerisign

    DNS

    Sponsored byDNIB.com

    IPv4 Markets

    Sponsored byIPv4.Global