Home / Industry

Tracing Truebot’s Roots through a DNS Deep Dive

On 12 June, the DFIR Report published an in-depth analysis of a Truebot intrusion that began with several page redirects via a Traffic Distribution System (TDS) and ended with dropping a Master Boot Record (MBR) killer wiper onto a victim’s computer. The result? The users’ data got exfiltrated to a threat actor-owned remote server and erased from the source. Worse, while some victims were prompted to reboot, more unfortunate ones were left with inoperable systems.

To collate as much DNS intel as possible, we pivoted off the researchers’ list of IoCs comprising three domains and five IP addresses for an expansion analysis. Our DNS deep dive uncovered the following:

  • The three domains identified as IoCs resolved to three IP addresses (i.e., two dedicated and one possibly dedicated hosts), two of which were detected as malicious by our malware check tool.
  • A domain tagged as an IoC had a publicly viewable registrant email address in some of its historical WHOIS records.
  • The registrant email address we found appeared in the WHOIS records of 7,666 other domains, four of which were detected as dangerous by our malware check tool.
  • The dedicated IP addresses played host to 267 other domains.

A sample of the additional artifacts obtained from our analysis is available for download from our website.

A Closer Look at the Domains Identified as IoCs

Based on the current WHOIS records of the three domains identified as IoCs, we found that:

  • Each domain was under the control of a different registrar (ecorfan[.]org—eNom, essadonio[.]com—CNobin Information Technology, and hrcbishtek[.]com—NOM-IQ).
  • Each domain was registered in a different country (ecorfan[.]org—Mexico, essadonio[.]com—China, and hrcbishtek[.]com—U.S.).
  • Two of the domains (ecorfan[.]org and hrcbishtek[.]com) were aged while the remaining one (essadonio[.]com) was newly registered.

Take a look at the comparison table below.

Further scrutiny of the domains’ historical WHOIS records allowed us to uncover an unredacted registrant email address for hrcbishtek[.]com. A historical reverse WHOIS lookup for the registrant email address uncovered 7,666 other domains, four of which have been categorized as malicious based on a Threat Intelligence Platform (TIP) bulk malware check.

While two of the malicious email-connected domains contained the string hardrock, one of them (hardrockjinan[.]com) couldn’t be definitively attributed to the entertainment chain based on a WHOIS record detail comparison.

DNS lookups for the four IoCs revealed that they resolved to three unique IP addresses, one of which (45[.]182[.]189[.]71) has already been identified as an IoC.

The IP Addresses under the Microscope

The DFIR Report identified five IP addresses as IoCs. Adding the two hosts we found—193[.]3[.]19[.]173 and 209[.]59[.]139[.]215—gave us a total of seven that we then subjected to further scrutiny. We found that:

  • The seven IP addresses were spread across four countries—two each in Russia and the U.S. and one each in Cyprus and the Netherlands.
  • None of the IP addresses shared ISPs.
  • Two of the IP addresses (45[.]182[.]189[.]71 and 193[.]3[.]19[.]173) were dedicated hosts, one (209[.]59[.]139[.]215) could be a dedicated host as well, and the remaining four didn’t have matching DNS records. The three dedicated and possibly dedicated IP hosts hosted 266 other domains.

Other DNS Findings

It’s also interesting to note that a string in one of the domains classified as an IoC—ecorfan—appeared in one other domain—ecorfan[.]com.

Both domains were created around the same time—ecorfan[.]org (identified as an IoC) on 14 June 2023 and ecorfan[.]com on 15 June 2023. But while ecorfan[.]com’s WHOIS record details weren’t publicly available, ecorfan[.]org’s was. Based on its current WHOIS record, the latter could belong to the Mexican government. A malware check, however, showed that it’s currently considered malicious. If it is a federal website, it could have been compromised to serve Truebot. The following screenshot also reveals that it continues to host live content.

The string hardrock, meanwhile, was present in several email-connected domains. As such, we scoured the DNS for domains containing the said string, which led to the discovery of more than 10,000 such web properties. While several of them could belong to the multinational company Hard Rock Cafe, Inc., some could be cybersquatting on the organization’s popularity. They didn’t indicate their registrant organizations and had different registrars compared to hardrock[.]com.

A TIP bulk malware check for the domains we found also showed that three were currently classified as malware hosts and one continues to host live content. Take a look at its screenshot below.

Note, too, that one of the malicious domains could belong to Hard Rock since it shared the registrant organization name (Hard Rock Cafe International U.S.A., Inc.) reflected in the current WHOIS record of the global corporation’s official website hardrock[.]com. Threat actors could have compromised the said site or mimicked the registrant organization name. The remaining two malicious hardrock-containing domains were likely owned by cybersquatters hoping to lure the company’s customers to their specially crafted malware-laden pages.

The Gist

DNS deep dives via an IoC expansion analysis aided by comprehensive threat intelligence solutions like TIP can help organizations identify possible attack vectors as soon as they get registered, even before threat actors can weaponize them. Our in-depth investigation on Truebot allowed us to identify thousands of potentially connected artifacts that possibly mimicked companies like Hard Rock and may warrant their security teams’ attention.

If you wish to perform a similar investigation or learn more about the products used in this research, please don’t hesitate to contact us.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

By Threat Intelligence Platform (TIP), Enterprise-Grade Threat Intelligence APIs, Tools, and Services

Threat Intelligence Platform (TIP) offers easy to use threat intelligence tools, services, and APIs to get detailed information about hosts and the infrastructure behind them. Gathering data from different providers, utilizing our substantial internal databases (compiled for 10+ years), and also real-time host configuration analysis, our threat intelligence solutions provide an in-depth look at target hosts and are an essential addition to any threat detection toolkit.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Threat Intelligence

Sponsored byWhoisXML API

Domain Names

Sponsored byVerisign

New TLDs

Sponsored byRadix

Cybersecurity

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

DNS

Sponsored byDNIB.com