Xanda's Blog !~!

Refreshing EK Hunting Technique (Enrichment) via TTP


Happy new year!

It has been a while since the last update.

Today I’ve saw an update in malware-traffic-analysis on RIG EK. Nothing new, but i asked myself if my old hunting technique is still relevant today, since i left EK hunting ‘industry’ 1 year++ ago. So i wrote a simple script to perform a quick check:

xanda:tmp xanda$ ./loop.sh

I’ve found 2 IPs; (currently serving RIG, mentioned in malware-traffic-analysis blog) and is not yet serving anything malicious, but my prediction, it will be serving RIG EK in/within the next 7 days.

Some tips on this fingerprinting technique:

  1. Based on the initial IP found, look for the IP range assigned to the same ASN, in this case
  2. Identify the HTTP header response from the known bad IP, and use it to fingerprint the rest.
  3. Based from my experience, 1 batch of EK server setup will have similar (or almost similar) HTTP header response, and some EK will use 1 subnet for 1 batch (but not necessarily)
  4. EK server will always (mostly) be dedicated. If you found historical pDNS record on that IP, verify (with dig/nslookup) for the current IP resolved by the domain(s). For example; has 3 historical pDNS record, but at the moment, 1 of the domain has expired, and another 2 domains are now pointing to different IP(s).
  5. This method will only works if the “scanned” hosts are alive at that particular moment

Hope it helps. Happy hunting

How Did I Find APT16 New Infa with VirusTotal pDNS and a lil Bit of Luck


[Quick and short update]

Last couple of weeks, I was reading the The EPS Awakens – Part 2 blog entry from FireEye and found this one IP,, was previously used as their C2 server. I used VirusTotal IP information, these few domains appeared:

2015-07-01 frppl.com
2015-07-01 jrjfj.com
2015-07-01 pjntx.com
2015-07-01 vzflx.com
2015-07-01 yeaqm.com

I went and check more information on each domain listed and found new infra (IPs) being used:

frppl.com domain information
jrjfj.com domain information
pjntx.com domain information
yeaqm.com domain information

I quickly check the server HTTP response header and this is what I’ve found that they are all the same:

HTTP/1.1 403 Forbidden
Server: nginx/1.6.2
Date: (current time of check)
Content-Type: text/html
Content-Length: 168
Connection: keep-alive

Okay, we already have,,, Lets just quickly perform the HTTP response header loop for the whole /24 subnet (or maybeee i lil bit more). This is the result:

Okay i’m running out of time, my kids are waiting for me outside.

From my quick check on the domain resolved to the IP range – , I can safely assume that those are APT16 new infra. But I not really confident to attribute –, but those IPs in that range, and domains revolved to that range, are fishy!

Happy hunting

Yara Rule for Angler EK redirector JS


Few friends ping-ed me recently and asked for intel on Angler EK. One of the thing that i can really release publicly at the moment without interfering/conflicting with my employer’s interest, is the yara rule to detect the Angler Exploit Kit redirector. The redirector is actually JS code, injected to innocent page to redirect visitor to Angler Exploit Kit.

Here you go:

rule AnglerEKredirector
      description = "Angler Exploit Kit Redirector"
      ref = "http://blog.xanda.org/2015/08/28/yara-rule-for-angler-ek-redirector-js/"
      author = "adnan.shukor@gmail.com"
      date = "08-July-2015"
      impact = "5"
      version = "1"
      $ekr1 = "<script>var date = new Date(new Date().getTime() + 60*60*24*7*1000);" fullword
      $ekr2 = "document.cookie=\"PHP_SESSION_PHP="
      $ekr3 = "path=/; expires=\"+date.toUTCString();</script>" fullword
      $ekr4 = "<iframe src=" fullword
      $ekr5 = "</iframe></div>" fullword
      all of them

Yara rule for jjencode


I’ve recently worked on yara rule to detect jjencode. So here is my simple rule:

rule jjEncode
      description = "jjencode detection"
      ref = "http://blog.xanda.org/2015/06/10/yara-rule-for-jjencode/"
      author = "adnan.shukor@gmail.com"
      date = "10-June-2015"
      version = "1"
      impact = 3
      hide = false
      $jjencode = /(\$|[\S]+)=~\[\]\;(\$|[\S]+)\=\{[\_]{3}\:[\+]{2}(\$|[\S]+)\,[\$]{4}\:\(\!\[\]\+["]{2}\)[\S]+/ fullword 

See you next time 🙂

Fingerprinting (potential) Sinkhole Server


A short update, a note for myself

Last May, while discussing with a friend, we’ve concluded that these 2 header (HTTP header) example indicate that those servers are sinkhole servers:

HTTP/1.0 200 OK
Server: Apache 1.0/SinkSoft
Date: Tue, 27 May 2014 06:11:29 GMT
Content-Length: 0
Connection: close
HTTP/1.1 200 OK
Date: Mon, 26 May 2014 07:26:20 GMT
Server: Apache/2.2.20 (Ubuntu)
X-Sinkhole: malware-sinkhole
Vary: Accept-Encoding
Content-Length: 0
Content-Type: text/html

So we can look for:

  • Apache 1.0/SinkSoft
  • X-Sinkhole:

Today, I’ve found “Server: TornadoServer” is another indicator. But i’m not yet 100% sure. Comments are welcome