As analysts, we are used to the common logic of "if it's too good to be true, than it probably is", but every now and then, leads that fall into this category pan out. Steve and I have been investigating a set of infrastructure for over 9 months now and it's finally to a point where we feel confident in the communities response to action the threats involved appropriately. Our analysis shows at least seven different nation-state actors using a common set of infrastructure to conduction operations with little change for several years.
Shortly after launching enterprise services in June of last year, we received an email to one of our aliases for PassiveTotal. Someone using our services needed help understanding malware they had seen their network. Their email outlined a situation that has become quite common today - one of their employees was visiting another country, left their device in a hotel and upon return back home, started to experience strange behaviors on the network. Attached to the email was a password-protected zip file (extension replaced with underscores) that included some of the suspicious files retrieved from forensics.
Looking at the poorly crafted email, it felt like an obvious attempt to phish our accounts, but there was the possibility someone really do need some assistance and maybe english (or grammar) wasn't their forte. I downloaded the ZIP file to one of my local Windows virtual machines and unpacked it. In the archive were several renamed files that looked like they were extracted from some forensics tool. Despite the odd email, this request for help seemed legitimate.
Find the C2
Neither Steve or myself are reverse engineers, so we asked a few private researchers for their help. In the end, they provided us with a list of the following domains:
Right away, it was obvious that the threat actors were smart enough to hide their tracks by using dynamic DNS domains. Querying for the infrastructure inside of PassiveTotal revealed numerous malware samples hosted on Virustotal, but IP addresses were limited. In fact, the only host to respond at the time of our analysis was "bonedaddy.lflinkup.com". Feeling a bit discouraged at the lack of data, I clicked the single IP address to make a pivot and was blown away with what we identified.
Multiple Nation States
Connected off the "bonedaddy" domain was over 4,000 links to numerous nation-state actors and hundreds of malicious samples. Countries from all over the world, known for their advanced cyber operations literally all in one spot on the Internet. Steve and I individually researched each of the resolutions using our datasets and the RiskIQ crawling infrastructure to validate our conclusions. In the end, we identified one core nexus shared amongst all the actors, 127.0.0.1.
Our theory for the extensive and long-lasting use of 127.0.0.1 as a command and control server is simple, actors like to go home. Much like you and I, these nation-state actors are simply performing a job they were hired to do. And like you and I, their hours may not be the greatest, the benefits not the most lavish and the pay certainly not worth all the time, but it's a job. At the end of the day, heading home is what keeps them going.
If you haven't caught on by now, April fools. Don't go blocking 127.0.0.1 on your network because you will crash the Internet or something. If you're looking to track actors, nation state or otherwise, don't be a fool, check out PassiveTotal and register for a free account!