Home / Industry

A Peek Under the Hood of the Atomic Stealer Infrastructure

The Atomic Stealer, also known as “AMOS,” first emerged in September this year by spreading on Macs disguised as popular applications. This time around, it has been wreaking more havoc in the guise of a fake browser update dubbed “ClearFake.” To widen their victim base, the stealer’s operators compromised several websites for their illicit gain.

Malwarebytes Labs published a list of Atomic Stealer indicators of compromise (IoCs) along with their in-depth malware analysis earlier this November. To gather more information about the threat and identify other potential attack vectors that may not be public yet, we expanded the list of IoCs, specifically six domains and one IP address, and discovered:

  • 31 email-connected domains
  • Seven IP addresses to which the email-connected domains resolved
  • 12 string-connected domains
  • 14 string-connected subdomains

A sample of the additional artifacts obtained from our analysis is available for download from our website.

DNS Facts about the Atomic Stealer IoCs

We first took a look at the six domains identified as IoCs via a bulk WHOIS lookup and found that:

  • They were split between two registrars—five domains were registered with GoDaddy.com LLC and one with Namecheap, Inc.
  • The six domains were created between 2008 and 2023—two in 2022 and one each in 2008, 2011, 2020, and 2023.

  • Five of the domains had the U.S. recorded as their registrant country, while one indicated Iceland.

Next, we subjected the IP address identified as an IoC to an IP geolocation lookup and found that:

  • It was geolocated in Belgium with Matrix Telecom Ltd. as its Internet service provider (ISP).
  • Threat Intelligence Lookup also provided additional information on the IoC, specifically that it was associated with 203 threats.

DNS Deep Dive Discoveries

We began our expansion analysis by performing WHOIS History Search queries on the six domains identified as Atomic Stealer IoCs. We uncovered 15 email addresses that appeared anywhere in their historical WHOIS records.

Reverse WHOIS Search queries on the seven public email addresses showed that four of them appeared in the current WHOIS records of 31 email-connected domains after duplicates and the IoCs were removed.

A closer look at the email-connected domains revealed that nine of them could be mimicking three Canadian organizations—Costco Wholesale Canada, the Royal Bank of Canada, and Scotiabank Canada—based on their text string usage summed up in the table below.

EMAIL-CONNECTED DOMAINORGANIZATION POSSIBLY BEING MIMICKED
canada-costco-redeem2percent[.]comCostco Wholesale Canada
rbctrustroyalcanada[.]comtrustclientrbc[.]comRoyal Bank of Canada
canadascotia-sign-intrust[.]com
scotiabank-sign-in[.]com
scotiacatrust[.]com
scotiaonline-client[.]com
scotiatrustweb[.]com
sign-intrust-scotiaonline[.]com
Scotiabank Canada

The WHOIS records of the three organizations possibly being imitated had identifiable data points. WHOIS lookups for Costco Wholesale Canada’s and the Royal Bank of Canada’s official domains—costco[.]ca and rbcroyalbank[.]com, respectively—allowed us to determine their registrant email addresses. A WHOIS lookup for Scotiabank Canada’s official domain—scotiabank[.]com—meanwhile, enabled us to obtain its registrant organization.

In comparison, none of the nine email-connected domains’ WHOIS records contained the information detailed above. In fact, they all had heavily redacted WHOIS records. As such, none of them could be publicly attributed to the legitimate companies and may thus be considered typosquatting domains.

Next, we subjected the six domains identified as IoCs to DNS lookups and found that they resolved to seven unique IP addresses. Bulk IP geolocation lookups for them showed that:

  • The IP addresses all seemed to point to the U.S. as their origin country.
  • They were also spread across two ISPs led by Cloudflare, Inc. (six IP addresses). One IP address was administered by Google LLC.

  • Threat Intelligence Lookup also revealed that six of the IP addresses were associated with various threats. Take a look at our findings in the table below.

    IP ADDRESSTHREAT INTELLIGENCE LOOKUP FINDING
    104[.]21[.]43[.]174Associated with 8,149 threats
    104[.]21[.]49[.]159Associated with 8,171 threats
    104[.]21[.]30[.]25Associated with 8,176 threats
    172[.]67[.]182[.]141Associated with 8,271 threats
    172[.]67[.]147[.]71Associated with 8,195 threats
    172[.]67[.]150[.]110Associated with 8,196 threats
  • None of the seven IP addresses shared the IoC’s geolocation country nor ISP.

We now had a total of eight IP addresses to work with after adding the one identified as an IoC. Our lookups also revealed that seven of the IP addresses could be shared hosts and one didn’t have active resolutions.

As the final step in our search for connected web properties registered in the past decade or so, we looked for domains and subdomains that contained the text strings found among the six domains identified as IoCs below via Domains & Subdomains Discovery. We found 17 domains and 14 subdomains.

TEXT STRINGS FOUND AMONG THE DOMAINS IDENTIFIED AS IoCsNUMBER OF DOMAINS FOUND USING DOMAINS & SUBDOMAINS DISCOVERYNUMBER OF SUBDOMAINS FOUND USING DOMAINS & SUBDOMAINS DISCOVERY
thebestthings133710
chalomannoakhali10
jaminzaidad42
royaltrustrbc20
wifi-ber912

After removing duplicates, the domains already identified as IoCs, and the email- and IP-connected domains, we were left with 12 and 14 string-connected domains and subdomains, respectively.

Interestingly, one string-connected domain—royaltrustrbc[.]online—could be cybersquatting on the Royal Bank of Canada. Like the potential typosquatting domains we found earlier, royaltrustrbc[.]online could not be publicly attributed to the bank. Its WHOIS record did not list the Royal Bank of Canada’s registrant email address either.


Our peek under the hood of the Atomic Stealer’s infrastructure led to the discovery of 64 potentially connected artifacts that have not been published in other reports. Part of that list are domains that could figure as attack vectors in phishing campaigns targeting Costco Wholesale Canada, the Royal Bank of Canada, and Scotiabank Canada.

If you wish to perform a similar investigation or learn more about the products used in this research, please don’t hesitate to contact us.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Related

Topics

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

DNS

Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix