Interpreting "greensky27" Inside PassiveTotal

As highlighted in the ThreatConnect CameraShy report, greensky27.vicp.net played a critical role in uncovering potential threat actors associated with nation state activity. Operating under the assumption that we know nothing about this domain, let’s see what we can find using PassiveTotal. When viewing the domain inside the platform, it’s clear there’s a lot of information to go through, so as an analyst where do you start?

On the left-hand side of the results is a summary pane describing the metadata associated with the domain. Within a few seconds, we know this domain has been in use for at least 4-5 years with the first known data being tracked back to 2010-11-11. Another helpful detail is knowing that vicp.net is actually a dynamic DNS provider which could explain it’s extended use and hundreds of unique records.

Directly to the right of the summary results is the primary pane for analysis with the heatmap being presented directly above the resolution records. Even without reading the labels, it’s clear there’s a pattern of activity that occurred sometime between the end of June and mid-August. Using the heatmap, it’s easy to make the following statements about this particular domain:

  • For the past six months, the domain has been resolving to routable infrastructure
  • For many of the months, the domain only resolved to one IP address
  • Starting at the end of June, several new IP addresses (as indicated by the orange boxes) were introduced for the next several weeks
  • Towards the end of August, new IP addresses stopped associating and the domain began to resolve back to one address

So without ever looking at the actual DNS information, we already have some idea about the domain greensky27.vicp.net. It’s been around a few years, has associations with a dynamic DNS provider and the most interesting period over the last six months lies somewhere in the resolution history from the end of June until mid-August.

At this point, we could begin branching out off the IP addresses during the time period of interest in an effort to discover new infrastructure. Clicking a search on “115.47.5.244” reveals two other dynamic DNS domains, killlab.ticp.net and killlab.vicp.net. Doing a simple Google search online reveals a malware report where those two domains are found within the strings of a binary that attempts to mask as a PDF, a common technique of some nation state malware.

Keeping in mind this is just one possible pivot-point within the results PassiveTotal collected and displayed, it’s likely there are a number of other malicious domains that overlap with greensky27. What’s important to take away from this post is how quickly an analyst can focus their research on a domain that is otherwise unknown to them. Simply running a search, making a couple calculated clicks and noting conclusions could reveal a much larger threat than anticipated.