Back in January of this year, we studied the infrastructure of Ducktail, a malware that trailed its sights on Facebook business owners and advertisers. Just this month, Morphisec researchers found a similar threat they’ve dubbed “SYS01.”

While SYS01 bore a striking resemblance to Ducktail at first glance, Morphisec confirmed the two threats weren’t one and the same. Using the 10 domains they tagged as indicators of compromise (IoCs) as jump-off points, the WhoisXML API research team sought to make their own comparison, this time focusing on differences between the DNS traces the two malware left. Our analysis found:

• 20 IP addresses to which the domains dubbed as IoCs resolved, two of which turned out to be malicious
• 3,001 domains that shared the IoCs’ IP hosts, 21 of which were confirmed to be malware hosts
• Two domains that contained the string baglamanotalari. akin to one of the IoCs

A sample of the additional artifacts obtained from our analysis is available for download from our website.

SYS01 Known Facts

According to the Morphisec study, SYS01, like Ducktail, stole data from Facebook business owners and advertisers and employed the same lures and tactics. What separated SYS01 from Ducktail was its campaign payload—the two malware exhibited different behaviors.

The research listed 10 domains as IoCs, namely:

• caseiden[.]com
• graeslavur[.]com
• rapadtrai[.]com
• baglamanotalari[.]com
• oscarnaija[.]com
• makananwisata[.]com
• seleriti[.]com
• seemlabie[.]top
• craceruib[.]top
• mahinetain[.]top

We sought to trace SYS01’s digital footprint to determine if it shared other commonalities with Ducktail apart from its intended targets and the tactics used by its operators.

SYS01 IoC Expansion Analysis

To draw the line between SYS01 and Ducktail, we conducted an IoC expansion analysis for SYS01. That will allow us to identify similar patterns among the two threats’ artifacts and web properties, if any.

We began with a bulk WHOIS lookup for the IoCs that revealed the following:

• All of the 10 domains were registered via NameSilo, LLC. The Ducktail domains indicated two different registrars.
• The SYS01 IoCs also used a different privacy redaction service—Privacy Guardian.
• All the IoCs were registered in the U.S., the only resemblance we could find with one of the Ducktail IoCs.

The only similarity we found between the SYS01 and Ducktail domains was that they were all newly registered when they were used in relevant campaigns.

Next, we subjected the SYS01 IoCs to DNS lookups that led to the discovery of 20 unique IP resolutions. SYS01 didn’t share any of Ducktail’s IP hosts. Also, all the IP addresses were shared hosts and two turned out to be malicious, including 104[.]21[.]43[.]250. They were all geolocated in the U.S., too, again unlike the Ducktail IP host we identified.

To identify other potential SYS01 artifacts, we performed reverse IP lookups that uncovered 3,001 additional domains. None of them were identical to any of the Ducktail IP-connected domains we found earlier. In addition, 21 of them were found to be malicious. Eight of these malware-laden pages continued to host live content, with four of these pages looking suspicious due to reasons detailed along with their screenshots below.

Finally, we looked for domains that shared common strings with the IoCs via Domains & Subdomains Discovery. We found only two that contained the string baglamanotalari., which only differed from the IoC baglamanotalari[.]com in that it used other top-level domain (TLD) extensions. None of them were found to be malicious. They were also unreachable unlike the IoC that resolved to an error page.

Like all the other SYS01 artifacts we discovered in our analysis, the string-connected domains—baglamanotalari[.]tk and xn—balamanotalar-x2b5z[.]com—didn’t share any similarities with the Ducktail ones we identified.

The Bottom Line

Apart from uncovering 3,023 IP addresses and domains that could be part of the SYS01 infrastructure, our IoC expansion analysis also seemingly affirms Morphisec’s finding. Despite having the same target and using similar tactics and lures, SYS01 and Ducktail are not one and the same as far as we could tell. They didn’t just have varying payloads but also had distinct digital footprints based on the traces they left in the DNS.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.