Cert Safari: Leveraging TLS Certificates to Hunt Evil

 

Proactively hunting for malicious infrastructure is a persistent puzzle for threat researchers to work and solve.  It is a complex and evolving problem, made more complex (though not unmanageable) by Domain Privacy and GDPR, which obscure WHOIS information that Analysts and Researchers would otherwise use to identify trends and corroborate other observations to increase confidence in attribution of infrastructure clustering.  This has forced researchers to identify other methods to proactively hunt for malicious infrastructure.

How to Leverage TLS Certificates 

Assisted by an increasing body of knowledge generated by thoughtful, forward-leaning analysts working on this very problem {1-9}, the Prevailion Adversarial Counterintelligence Team (PACT) leverages TLS certificates to compensate for the investigatory vacuum left by WHOIS redactions.  But, before we dive into an analytical methodology along with an example that leverages this source of information, a quick primer on how the internet works: 

• Domain names, like “Wikipedia.org,” are not required for network communications, but an IP address is (the internet runs on TCP/IP, after all).  
• Domain names provide a sense of brand, recognition, and utility that IP addresses cannot (IP addresses are for machines, domain names are for people).  
• Most legitimate sites will have a domain name that is mapped to (one or more) IP addresses.  

The push for encrypted communications over the internet, mainly due to the influence of ecommerce, made much of the day-to-day communications between a user’s computer and a website (on a domain) encrypted using the TLS (Transport Layer Security) protocol.  To implement and use TLS, a website must first prove its identity by presenting a TLS certificate.  The TLS certificate contains information about the website (domain) and the organization that runs and owns that domain. It is further countersigned by a trusted party (the Certificate Authority, or CA), whose sole job is to verify that the site is truly owned and operated by the entity claiming ownership. 

TLS certs are intended to bind together a domain name with an organizational identity {10}.  For example, the TLS cert for Wikipedia {Figure 1, below} displays the Subject Common Name (CN=*.wikipedia.org), effectively proving the web server’s legitimate right to serve any webpage from the domain (or any subdomain) ending in “wikipedia.org”.  Additionally, it can serve web pages from the other domains on the cert, as agreed upon by the entity (Wikipedia) and the CA (Let’s Encrypt).

Figure 1 – Wikpedia’s TLS certificate

 

Armed with the understanding that TLS certificates are required for encrypted communications between a computer and a website (domain), and that IP addresses are required for network communications (but domain names are not), it stands to reason that TLS certificates must be associated with the IP addresses hosting a given domain.  

Malicious actors must execute most, if not all, of the following steps to create supporting infrastructure for their operations {7}: 

1. Create a registration persona
2. Buy a domain name from a registrar/reseller
3. Set up hosting at an IP address
4. Set up target or operation-specific subdomain infrastructure
5. Create an SSL certificate if requiring HTTPS communication
6. Enable services at a hosting IP address or the domain
7. Set up domain with a website or redirect

Each of these steps provides an opportunity for the researcher to identify tactics or artifacts that can be used to cluster adversary activity or infrastructure.  This methodology was recently used by the PACT to uncover what appears to be a cluster of unattributed activity that has yet to be reported on, hosted mainly on Vietnamese infrastructure and using domain names with a technology and cryptocurrency theme.  

The PACT initially identified a blacklisted certificate, listed as a generic “Malware C&C,” on the SSL certificate blacklist (SSLBL) provided by the amazing folks at ABUSE.ch {11}.  Analysts identified the cert on Censys.io by its SHA1 fingerprint, where it was associated with “google247[.]xyz” {Figure 2 below}

Figure 2 – the blacklisted certificate from SSLBL

 

To identify the hosting infrastructure, analysts used DomainTools’ WHOIS tool to query the domain associated with the certificate. Two notable facts were identified: 

1. The domain is hosted on 14.241.72[.]25
2. Four other domains are hosted on the same IP {Figure 3, below}.

Figure 3 – WHOIS info for the domain associated with the blacklisted certificate

 

Analysts also noted the following additional facts for future pivots: 

1. Registrant Organization: Nguyễn Quang Thuỷ
2. Registrar: Mat Bao Corporation
3. Name Servers: NS1.MATBAO.COM & NS2.MATBAO.COM

Identifying the hosting address of the domain enabled a pivot to Shodan {Figures 4,5, below}, which identified an additional domain associated with that IP: sellview[.]xyz.

 

 

 

Figure 4,5 – Results of Shodan query for the host, identifying it by IP and TLS certificate

 

Censys was used to backstop the findings from Shodan, positively identifying both the IP and the certificate seen on the target IP in Shodan {Figures 6,7, below}:

Figure 6 – IP corroboration from Censys

Figure 7 – Certificate corroboration from Censys

 

The certificate structure for sellview[.]xyz is similar in structure to the original certificate for google247[.]xyz (from the SSLBL): the “Issuer DN” string is identical; validity period is 1 year, and the “Names” values are identically structured.  There are now two domains with overlapping certificate characteristics being hosted on IP 14.241.72[.]25.  Additional similarities can be seen within the WHOIS registration data: the registrant information was identical (Registrant Organization: Nguyễn Quang Thuỷ; Registrar: Mat Bao Corporation, and nameservers).  Screenshots of both domains using URLSCAN.io also proved to be identical: a blank white screen with “Hello.” written in black text in the top-left corner {Figure 8}.

Figure 8 – Screenshot of the two domains

 

The matching WHOIS registration data, along with the identical certificate structure, hosting infrastructure, and URLSCAN website screenshots, indicate it is highly likely this activity can be clustered.  

Next, PACT pivoted on the IP in an attempt to identify additional domains that might be clustered with the observed activity.  Querying the IP using passive DNS and domain intelligence tools corroborated the hosting of the previously identified domains as well as dozens of other domains registered under the *.xyz TLD.  

Some were immediately notable due to their similarity in name or theme: 

1. google360[.]xyz
2. shippro[.]xyz
3. btc247[.]xyz
4. btc360[.]xyz
5. follow247[.]xyz
6. follow360[.]xyz
7. forex247[.]xyz
8. forex24h[.]xyz
9. gold247[.]xyz
10. gold360[.]xyz
11. googlevn[.]xyz
12. guess247[.]xyz
13. guess360[.]xyz
14. mailgoogle[.]xyz

Others appeared to target a Vietnamese-speaking audience:

1. Giaovat[.]xyz (translated*: “giao vat” = delivery)
2. Timviec[.]xyz (translated*: “tim viec” = heart)
3. Xemhang[.]vn (translated*: “xem hang” = see the cave)
4. Xemhang[.]xyz (see above)
5. Xuatban[.]xyz (translated*: “xuat ban” = leave you)

*translation provided using Google Translate

The shared theme of the domains (technology, cryptocurrency, re-use of numbering schemes [e.g., btc247, gold247, guess247] and the consistent use of the “.xyz” TLD), as well as the shared hosting infrastructure (IP 14.241.72[.]25), along with the overlapping WHOIS data, is used to loosely cluster this activity.  

All domains listed above (22 in total) share the following characteristics: 

1. Hosted (currently or previously) on IP 14.241.72.25
2. Registrant Organization: Nguyễn Quang Thuỷ
3. Registrar: Mat Bao Corporation
4. Name Servers: NS1.MATBAO.COM & NS2.MATBAO.COM

 

Additional Analysis

In keeping with the subject of this post, certificate analysis on all 22 domains continued strengthening the case for clustering this activity.  20 of the 22 domains have overlapping certificate characteristics: they were previously registered with 90-day certificates from Certificate Authority “ZeroSSL”, and 13 have a current 12-month certificate from Certificate Authority Sectigo.  The Sectigo certificates share a common naming schema for the website/domain in the Common Name (CN) and Subject Alternative Names (SAN) as well as the ‘Issuer DN’ string “C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited, CN=Sectigo RSA Domain Validation Secure Server CA”. Both the Sectigo and ZeroSSL certificates share the same naming schema in the CN and SAN fields.

Certificate histories were available for some of the domains as far back as 2016, which also revealed that this actor has been using multiple certificate authorities (Sectigo/Comodo, ZeroSSL, Let’s Encrypt).  Expired certificates for some domains also revealed additional domains (via entries in the CN or SAN fields), but these domains were not included in the findings as historical hosting data was not available.  It appears from certificate timestamps that the actor was using the ZeroSSL certs in early 2021, then recertified their domains using Sectigo as the ZeroSSL certs began expiring.  The most recent certifications have a period of validity beginning on 08 July 2021 (for both btc360[.]xyz and btc247[.]xyz), indicating that the actor is actively maintaining this infrastructure.  The expired ZeroSSL certs are timestamped largely from early 2021, with most valid beginning dates clustered in March 2021.  Certificate histories could be identified as far back as 2016 for a few select domains, but the actor appears to have begun building out the current cluster of infrastructure in mid-2020 (June/July).

In order to visualize current and potential connections, the indicators were loaded into VirusTotal Graph.  VT Graph enabled analysts to further pivot on malicious samples downloaded from and communicating with the domains and hosting infrastructure, as well as identify URLs and sub-domains clustered with the identified domains.

Further analysis of the malware hosted within these domains reinforces the interconnectedness of the network. The identified samples relied heavily on scripting and LOLbins to establish persistence in the victim machine and communicate with the threat actor. Additional payloads and scripts were retrieved from btc247[.]xyz. Communication was made via SMTP from btc247[@]sellview[.]xyz to 247@sellview[.]xyz leveraging a mailserver at emailserver[.]vn, a large Vietnamese webmail provider. {Figure 9,10}

Figure 9 – Network traffic generated by infection

Figure 10 – SMTP communication from victim machine

 

The email attachment contains information from the victim machine indicating if it has a configuration file for TeamViewer or a specific cryptominer. Samples of this cryptominer were found in an open directory on one of the domains in this network. AeroAdmin is installed for remote control of the victim machine, but we were unable to link the AeroAdmin account back to any specific group or actor at this time.

Conclusion

Redaction of registration data previously available via WHOIS has left Threat Researchers and Threat Intel Analysts with a gap that can be bridged by investigation and clustering of TLS Certificates to identify adversary infrastructure.  Thanks to the push for Certificate Transparency{12,13}, each CA continuously updates a permanent, append-only record of all certificates that have been associated to domains, which can then be leveraged to identify hosting infrastructure (and even adversary TTPs) by searching the data provided by the good folks doing the public service of scanning the internet {14}.  Researchers hunting malicious infrastructure can continue to ply their trade while society grapples with GDPR and privacy law.

Notes on Analytical Gaps:

1. Prevailion Analysts do not currently possess region-specific, nuanced knowledge of the Vietnamese internet hosting market, so something like the choices of registrar may be restricted enough that multiple entities might be forced to use the same registrar and name server (leading to false confidence in clustering activity).
2. Long term hosting data (SSL certificate scans or pDNS data) may have enabled further pivot opportunities based upon domains observed in expired certificates.

REFERENCES:

1. https://medium.com/@mark.parsons/hunting-a-tls-certificate-series-post-1-6ad7adfebe44
2. [Mark Parsons @ SANS DFIR: Hunting Cyber Threat Actors with TLS Certificates](https://www.youtube.com/watch?v=SieSrv8RGic)
3. [Ryan Kovar @ SANS DFIR:](https://www.youtube.com/watch?v=QA5OTUVqJiw)
4. https://www.riskiq.com/blog/external-threat-management/threat-hunting-post-whois/ 
5. https://www.domaintools.com/resources/blog/analyzing-network-infrastructure-as-composite-objects?utm_campaign=current-events-to-widespread-campaigns-pivoting-from-samples-to-identify&utm_source=Blog 
6. https://osintcurio.us/2019/03/12/certificates-the-osint-gift-that-keeps-on-giving/
7. https://threatconnect.com/blog/infrastructure-research-hunting/
8. https://threatconnect.com/blog/track-to-the-future/
9. https://threatconnect.com/blog/using-fancy-bear-ssl-certificate-information-to-identify-their-infrastructure/
10. https://www.globalsign.com/en/ssl-information-center/what-is-an-ssl-certificate
11. https://sslbl.abuse.ch/
12.  https://www.rapid7.com/blog/post/2018/01/04/certificate-transparency-the-gift-that-keeps-giving/
13.  https://transparencyreport.google.com/https/certificates?hl=en
14.  https://scans.io/