Refreshing EK Hunting Technique (Enrichment) via TTP
Happy new year!
It has been a while since the last update.
Today I’ve saw an update in malware-traffic-analysis on RIG EK. Nothing new, but i asked myself if my old hunting technique is still relevant today, since i left EK hunting ‘industry’ 1 year++ ago. So i wrote a simple script to perform a quick check:
xanda:tmp xanda$ ./loop.sh 220.127.116.11 18.104.22.168 22.214.171.124 DONE!
I’ve found 2 IPs; 126.96.36.199 (currently serving RIG, mentioned in malware-traffic-analysis blog) and 188.8.131.52. 184.108.40.206 is not yet serving anything malicious, but my prediction, it will be serving RIG EK in/within the next 7 days.
Some tips on this fingerprinting technique:
- Based on the initial IP found, look for the IP range assigned to the same ASN, in this case 220.127.116.11/24
- Identify the HTTP header response from the known bad IP, and use it to fingerprint the rest.
- Based from my experience, 1 batch of EK server setup will have similar (or almost similar) HTTP header response, and some EK will use 1 subnet for 1 batch (but not necessarily)
- EK server will always (mostly) be dedicated. If you found historical pDNS record on that IP, verify (with dig/nslookup) for the current IP resolved by the domain(s). For example; 18.104.22.168 has 3 historical pDNS record, but at the moment, 1 of the domain has expired, and another 2 domains are now pointing to different IP(s).
- This method will only works if the “scanned” hosts are alive at that particular moment
Hope it helps. Happy hunting