Threat Research

Passive DNS For Phishing Link Analysis – Identifying 36 Latrodectus Domains With Historical Records and 302 Redirects

Embee-research

In this blog we will identify 36 Latrodectus phishing domains through passive DNS analysis of a domain reported on Twitter/X.

The initial reported domain leverages 302 redirects to send users to a malicious or benign file. The URL present in the 302 redirect is re-used across numerous domains and we can leverage this information to identify additional infrastructure.

In summary, we will use the following indicators to identify the additional servers

  • Same resolved IP address 193.106.174[.]218
  • Same usage of 302 redirects to the same URL on documentcloud[.]org
  • Previous usage of 302 redirects to harvardlawreview[.]org

Initial Intelligence

The initial intelligence in this blog is from a tweet posted by @Unit42_intel.

The tweet details a Latrodectus infection leveraging phishing links to redirect victims to a javascript file which ultimately loads LummaStealer Malware.

https://platform.twitter.com/embed/Tweet.html?creatorScreenName=embee_research&dnt=false&embedId=twitter-widget-0&features=eyJ0ZndfdGltZWxpbmVfbGlzdCI6eyJidWNrZXQiOltdLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X2ZvbGxvd2VyX2NvdW50X3N1bnNldCI6eyJidWNrZXQiOnRydWUsInZlcnNpb24iOm51bGx9LCJ0ZndfdHdlZXRfZWRpdF9iYWNrZW5kIjp7ImJ1Y2tldCI6Im9uIiwidmVyc2lvbiI6bnVsbH0sInRmd19yZWZzcmNfc2Vzc2lvbiI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9LCJ0ZndfZm9zbnJfc29mdF9pbnRlcnZlbnRpb25zX2VuYWJsZWQiOnsiYnVja2V0Ijoib24iLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X21peGVkX21lZGlhXzE1ODk3Ijp7ImJ1Y2tldCI6InRyZWF0bWVudCIsInZlcnNpb24iOm51bGx9LCJ0ZndfZXhwZXJpbWVudHNfY29va2llX2V4cGlyYXRpb24iOnsiYnVja2V0IjoxMjA5NjAwLCJ2ZXJzaW9uIjpudWxsfSwidGZ3X3Nob3dfYmlyZHdhdGNoX3Bpdm90c19lbmFibGVkIjp7ImJ1Y2tldCI6Im9uIiwidmVyc2lvbiI6bnVsbH0sInRmd19kdXBsaWNhdGVfc2NyaWJlc190b19zZXR0aW5ncyI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9LCJ0ZndfdXNlX3Byb2ZpbGVfaW1hZ2Vfc2hhcGVfZW5hYmxlZCI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9LCJ0ZndfdmlkZW9faGxzX2R5bmFtaWNfbWFuaWZlc3RzXzE1MDgyIjp7ImJ1Y2tldCI6InRydWVfYml0cmF0ZSIsInZlcnNpb24iOm51bGx9LCJ0ZndfbGVnYWN5X3RpbWVsaW5lX3N1bnNldCI6eyJidWNrZXQiOnRydWUsInZlcnNpb24iOm51bGx9LCJ0ZndfdHdlZXRfZWRpdF9mcm9udGVuZCI6eyJidWNrZXQiOiJvbiIsInZlcnNpb24iOm51bGx9fQ%3D%3D&frame=false&hideCard=false&hideThread=false&id=1766242077585596520&lang=en&origin=https%3A%2F%2Fembee-research.ghost.io%2Fphishing-domain-analysis-with-passive-dns-latrodectus%2F&sessionId=155036d196b08f453c045c061d6e2f383ef77b7f&siteScreenName=embee_research&theme=light&widgetsVersion=2615f7e52b7e0%3A1702314776716&width=550px

Within the original tweet, there is a screenshot of a phishing link contained in an email. This link contains the domain lufyfeo[.]org, which will form the basis and starting point of our analysis today.

Our goal will be to analyse this domain to identify any patterns or indicators that can identify additional domains and IOC’s.

Initial Notes

Based on information contained in the initial post, the lufyfeo[.]org domain is likely leveraging redirects to send a victim to alternate “fake” pages.

This information will form an important step in our next analysis, as we will leverage patterns in the 302 redirects to identify additional domains.

Thread-hijacked email>link>redirects to fake Azure page>Firebase URL>.js file download> victim double-clicks JS file> wscript runs JS file> JS generates WebDAV traffic for MSI> MSI installs Latrodectus DLL>Latrodectus C2? Lumma EXE sent over Latrodectus C2

Initial Analysis With Passive DNS

Our initial analysis can begin by searching the lufyfeo[.]org domain in a passive DNS tool such as Validin.

This will reveal detailed history about resolved IP addresses have been in use by the domain.

In the below screenshot, we can see that the most recent IP resolution was 193.106.174[.]218

This IP address will form our first pivot point.

After determining the most recent IP address, we can also review the most recent host responses for the lufyfeo[.]org domain.

This reveals the presence of multiple 302 redirects, which are likely redirecting the user to next malicious page.

By viewing additional information about the 302 redirect, we can see that the redirect location is a pdf file hosted on documentcloud[.]org

By researching the documentcloud[.]org domain, this appears to be a legitimate site used for hosting pdf files.

Investigating this exact PDF link on urlscan, it appears to be a relatively benign PDF file.

I did not confirm 100%, but I believe that this is a non-malicious pdf returned if the user has not requested the exact URL provided in the initial email.

Leveraging Redirects as Pivot Points

At this point we have now identified the most recent IP address used by lufyfeo[.]org, and we have identified that the domain is leveraging 302 redirects to send the user to the next location.

Recall that the lufyfeo[.]org domain contains host responses with 302 redirects.

By expanding our search to the most recent resolved IP address for lufyfeo[.]org, we can expand this search to other domains hosted on the same server.

We can check this by searching for the most recent resolved IP of 192.106.174[.]218 and checking the Host Responses tab for 302 redirects.

Reviewing the redirect details for interiourbydennis[.]com, we can see that the 302 redirects to the same location.

A very similar response can be observed for deqytuu9[.]org and web3rse[.]org

Of extremely interesting note is that the deqytuu9[.] domain resolves to a pdf file hosted on harvardlawreview[.]org

To my knowledge this is a legitimate domain and legitimate file, but it is interesting to note that other sites hosting pdf’s are being leveraged.

This will become more important later when we do additional pivoting.

Identifying All Current Domains

At this stage we have identified an IP address 193.106.174[.]218 that is hosting both the original malicious domain lufyfeo[.]org as well as numerous other domains showing similar behaviour.

In total, there are 1256 host responses for the 193.106.174[.]218 address. Our next goal will be to enumerate all of these for indications of 302 redirects to URL’s containing pdf references on harvardlawreview[.]org or documentcloud[.]org

Since the number of responses was so large, I utilised the json export feature of Validin to obtain the complete results of the search.

This allowed me to focus on information like the 302 redirect location.

We can start this by exporting all entries in the current response.

After exporting the entries, CyberChef can be leveraged to beautify the json output and determine which fields are of interest.

In this case, we want only the host and location fields within the json.

Enumerating JSON Output With Python

Since we only need to check the location and host fields, we can use a small python script to enumerate all results in the json output for references to URLs with PDF references.

Running this script produces a large number of results for redirects to the same location as the known malicious domain.

After deduplicating the results, we are left with 36 domains hosted on the same IP address and redirecting to either the same documentcloud[.]org file, or the additional harvardlawreview[.]org file.

The complete list of these domains can be found below.

mayanui[.]com
quwezui[.]org
durete[.]org
hofaty[.]org
qeqady[.]org
fuwer[.]org
defifya[.]org
gotuqoa[.]org
suzabyu[.]org
web3rse[.]com
interiourbydennis[.]com
sytukoe8[.]org
lufyfeo[.]org
boldenslawncare[.]com
qyjifia[.]org
vajosoo[.]org
sabehey[.]org
nevujo[.]org
lyzupoy[.]org
mypusau[.]org
zuwagie6[.]org
marypopkinz[.]com
simanay[.]org
cabobao3[.]org
ticava[.]org
zefos[.]org
fazadoe[.]org
luhuhu[.]org
cuxu[.]org
pubonao[.]org
xacygo[.]org
deqytuu9[.]org
gejyg[.]org
pucak[.]org
intellipowerinc[.]com
gejyg[.]org

Original Source :

https://embee-research.ghost.io/phishing-domain-analysis-with-passive-dns-latrodectus/

MITRE ATT&CK Techniques and Procedures

  1. Initial Access (TA0001):
    • T1566.002 – Phishing: Spearphishing Link: The attackers use phishing emails containing malicious links to redirect victims to malicious sites that mimic legitimate websites like Arc Browser, Notion, and Slack.
  2. Execution (TA0002):
    • T1204.002 – User Execution: Malicious File: Victims are tricked into downloading and executing malicious files disguised as legitimate software installers.
  3. Persistence (TA0003):
    • T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder: The malware may achieve persistence by adding itself to startup items or modifying registry keys to ensure it runs at every system startup.
  4. Defense Evasion (TA0005):
    • T1027 – Obfuscated Files or Information: The malware uses xor encoding and other techniques to obfuscate its code and evade detection.
    • T1553.002 – Subvert Trust Controls: Code Signing: The malware is distributed in ad-hoc signed DMGs to bypass macOS Gatekeeper warnings.
  5. Credential Access (TA0006):
    • T1555 – Credentials from Password Stores: The malware attempts to dump plain text passwords from the macOS keychain by prompting the user for their login password.
  6. Collection (TA0009):
    • T1005 – Data from Local System: The malware collects sensitive data from the victim’s system, including credentials, browser login data, and cryptocurrency wallet information.
  7. Command and Control (TA0011):
    • T1071.001 – Application Layer Protocol: Web Protocols: The malware communicates with the attacker’s server over HTTP to send exfiltrated data and receive commands.
  8. Exfiltration (TA0010):
    • T1041 – Exfiltration Over C2 Channel: The stolen data is sent to the attacker’s server in a base64 encoded zip file over the malware’s command and control channel.
Tags: EXFILTRATION, DEFENSE EVASION, EMAIL, PERSISTENCE, INITIAL ACCESS, BROWSER, PASSWORD, CLOUD