Home / Industry

A DNS Deep Dive: That VPN Service May Be OpcJacker in Disguise

The more dangerous browsing the Internet becomes, the more tools to address cyber threats emerge in the market. Virtual private network (VPN) service usage, for instance, gained ubiquity due to the ever-increasing number of data privacy intrusions. So what happens when you download a supposed VPN software installer but end up with a malware infection instead?

Trend Micro’s in-depth OpcJacker investigation may tell you. The malware comes in the guise of a VPN software installer. When installed, it logs user keystrokes, takes screenshots, steals sensitive browser data, loads additional malicious modules, and replaces cryptocurrency wallet IDs for hijacking purposes.

Security researchers Jaromir Horejsi and Joseph C. Chen identified 33 OpcJacker indicators of compromise (IoCs)—30 domains and three IP addresses, namely:

DOMAINSIP ADDRESSES
• alle13net1[.]com
• alle13net2[.]com
• comes1[.]com
• comes2[.]com
• gattri1[.]com
• gattri2[.]com
• installer-xvpn-g[.]site
• installer-xvpn-h[.]site
• installer-xvpn-k[.]site
• installer-xvpn-n[.]site
• irbxvpn[.]site
• irexvpn[.]site
• irfxvpn[.]site
• irhxvpn[.]site
• irixvpn[.]site
• irkxvpn[.]site
• irqxvpn[.]site
• irtxvpn[.]site
• iruxvpn[.]site
• irwxvpn[.]site
• manigiajabae32[.]com
• manigiajabae35[.]com
• neskrab1[.]com
• neskrab2[.]com
• nesupcli[.]com
• she32rn1[.]com
• she32rn2[.]com
• uhcoxvpn[.]site
• uzurtela1[.]com
• uzurtela42[.]com
• 185[.]163[.]45[.]36
• 94[.]158[.]244[.]118
• 206[.]188[.]197[.]199

The WhoisXML API research team expanded the list of IoCs to determine other potential fake VPN threat vectors. Our closer look at the DNS uncovered:

  • Seven additional IP addresses that played host to some of the domains identified as IoCs, three of which turned out to be malicious
  • 441 additional domains that shared some of the IoCs’ IP hosts, 10 of which turned out to be malware hosts
  • 10,000 domains that contained the string vpn, 12 of which have been dubbed malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Facts about the OpcJacker IoCs

We began our in-depth study with a bulk WHOIS lookup for the 30 domains identified as IoCs. Twenty-six of the domains’ registrars were publicly visible. They were spread across three registrars—15 with PDR Ltd., 10 with NiceNIC International Group Co. Limited, and one with Key-Systems GmbH.

All 30 domains were newly registered, specifically just this February. They were also registered in a single country—Russia.

A bulk IP geolocation lookup, meanwhile, for the three IP addresses showed they were geolocated in three distinct countries—Moldova, the U.S., and the Netherlands. Two of them were managed by MivoCloud SRL while the remaining was under BL Networks.

OpcJacker IoC List Expansion Findings

To find all other potentially connected artifacts, we subjected the domains identified as IoCs to DNS lookups. That led to the discovery of seven additional IP addresses spread across five countries. Three were geolocated in the U.S. and one each in Germany, the Netherlands, Russia, and the U.K.

The IP addresses were distributed among six ISPs led by DARL-TELECOM, which accounted for two of the hosts. The remaining five IP addresses were managed by Hosting Technology Ltd., TimeWeb Ltd., BL Networks GB, Hostinger US, and Hetzner Online GmbH.

Next, reverse IP lookups for the 10 IP addresses—three identified as IoCs and seven additional hosts—allowed us to uncover 441 domains, 10 of which turned out to be malicious.

Screenshot lookups for the malicious pages showed that five remained accessible. What was, however, more interesting was that they had the same content, a supposed VPN software download page.

Due to the threat actors’ use of fake VPN software, we also scoured the DNS for domains that contained the string vpn, which could be utilized maliciously for attacks similar to the OpcJacker campaign. Domains & Subdomains Discovery gave us 10,000 domain names, 12 of which turned out to be malicious. Specifically, nine of them were malware hosts while the remaining three were involved in spamming.

A majority of the malicious domains (10 to be exact) were unreachable as of this writing. The other two, which remained accessible, meanwhile, led to warning pages.

Next, we obtained a list of VPN service providers from this page. A bulk WHOIS lookup for their official domains showed that only 10 had publicly viewable registrant organizations. Comparing them with the registrant organizations of the vpn-containing domains revealed that only one—vpn[.]ac—could be publicly attributed to the legitimate VPN service providers on our list. It is, in fact, Romania-based VPN service provider VPN.ac’s official site address. The remaining 9,999 string-connected domains could serve as hosts to fake VPN software installer pages.


Our IoC list expansion analysis led to the discovery of 10 fake VPN download pages that could be part of the OpcJacker infrastructure since they shared some of the IoCs’ IP hosts. It also uncovered 12 other domains that contained the string vpn, which may have already figured in similar malicious campaigns.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

IPv4 Markets

Sponsored byIPv4.Global

New TLDs

Sponsored byRadix

Cybersecurity

Sponsored byVerisign

Brand Protection

Sponsored byCSC

Threat Intelligence

Sponsored byWhoisXML API

DNS

Sponsored byDNIB.com

Domain Names

Sponsored byVerisign