Earlier this morning, Eyal from Clearsky Cyber Security published a paper on "Operation DustySky", a set of targeted campaigns attributed back to the Gaza Cybergang. When working with Clearsky, we observed some interesting details and overlap that didn't quite fit in the paper, so we wanted to publish them here.
We found this IP address to be interesting due to the SSL certificate, mix of dynamic DNS and registered domains and recent activity.
Based on the heatmap above, a user can easily identify that traffic to this particular IP is fairly new (showing in mid-December). What’s worth noting is that the first day starts with just one resolution, followed by 17 and then 24. Those first 3 days appears to be significant as newly observed domains (notated by the orange flag) are seen and then it’s nothing new over the next few weeks.
The certificate for this domain is interesting, but does not appear to lead to any new discoveries. Clicking on “Serial Number”, “Common Name” and “SHA-1” do not reveal anymore new IP discoveries or overlap.
This IP address is interesting because of the SSL certificates, but mainly due to some overlap with Gaza Cybergang and a strange pattern in the domain changes.
In this heatmap, you can see a clear change from Dynamic/Registered infrastructure to just dynamic infrastructure in the past ~2.5 weeks. While this may not be significant, it’s worth noting and should be investigated or compared to attack times. Did attackers stop on the same day they switched to dynamic DNS only? Was this infrastructure used again?
Above is a screenshot of the results table from update.ciscofreak.com which used the 126.96.36.199 address back in April of this year. It’s worth noting that based on the PassiveTotal OSINT tags, you can see that Kaspersky had reported on the Gaza Cybergang for the IP address 188.8.131.52 which resolved at the same time. While time periods may not overlap completely (was 184.108.40.206 used for malicious purposes in April?), it’s still worth investigating.
This IP address was reported by Kaspersky as being linked to Gaza Cybergang and shows overlap to the DustySky infrastructure in April of this year. Looking at the results, it’s interesting that it seems to show a similar pattern of dynamic/registered domains and then a sudden shift to dynamic DNS only.
The results seem to show more potential links to malicious activity with dynamic DNS domains not mentioned in reporting being shown. Due to the dynamic DNS nature, there’s a good chance these are not related or may no longer be malicious, but they still have recent activity that could be used as a research point.
Also, worth showing that there’s an SSL certificate associated with the IP address from October of last year. It’s a wildcard certificate that shows a relation to Quantas Airways Limited giving us a timeframe that the current holders appear to be non-malicious and that started around October. Anything before that period could be suspect. Also, it’s strange that those Dynamic DNS domains continue to point to the IP despite being owned by a real service. Did the attackers abandon their infrastructure?
This IP address shows a connection to the following SSL certificate starting in October of 2015.
While not incredibly unique, the common name of the certificate is interesting. Looking for open source data doesn’t reveal any connections to malware, but the domain itself is strange and a good point to pivot off of.
Clicking the subject name reveals quite a lot of other IP addresses that used a certificate with the same name roughly around the same 6 month time period in 2015. Many of these appear to be dead-ends, but 220.127.116.11 shows some domains associated with it that have OSINT hits associating back to PWC reporting on Middle Eastern actors using xtremeRAT and Poison Ivy and Kaspersky Gaza Cybergang.
The above results for 18.104.22.168 show yet again, an interesting change of dynamic and registered domains and then going to dynamic only in the past few weeks. Unlikely a correlation, but interesting nonetheless. The OSINT data is clearly seen by the tags on within the result table.
It’s valuable to dig into the co.vu usage a bit more for these actors. Going to the services website reveals a dynamic-like service in which users can obfuscate their Tumblr or Blogger blog using a co.vu address.
Registering for free gives users 3 free domains they can use. Given these co.vu addresses are being used in attacks, it’s worth identifying the importance of the domains. Are they being used for command and control or phishing landing pages or exploit delivery? The obfuscation on top of an already 3rd-party service shows signs that attackers are looking to hide their tracks or complicate analysis.