Shadowfall

Over the last several months, RSA Research embarked on a cross-organizational effort against RIG Exploit Kit (RIG EK or just plain RIG), which led to insight into the operational infrastructure (and possibly the entire ecosystem), as well as significant discoveries related to domain shadowing. Domain shadowing is “a technique in which attackers steal domain account credentials from their owners for the purpose of creating subdomains directed at malicious servers”.

As a direct result of these efforts, tens of thousands of active shadow domain resources were removed from RIG, malvertising, and malspam operations.

Research Methodology and Acknowledgments
Initial data for this research was collected and evaluated during the period between the 21^st of February and 20^th of March, 2017; however, significant follow-on data acquisition, evaluation, and subsequent research has also been conducted (and continues) to ensure relevancy of this discussion to current RIG EK operations.

It is important to note that our continuing research and findings have only been made possible by the combined chi of our astute colleagues at GoDaddy and a number of community researchers. Specifically, we would like to acknowledge the work of @broadanalysis, @dynamicanalysis, @executemalware, @malwarebytes, @zerophage, and especially Brad Duncan of malware-traffic-analysis.net and Palo Alto Unit 42. We would also like to give a special thanks to Rintaro Koike (@nao_sec, http://nao-sec.org/), whose ongoing collaboration has also been critical for this research.

RIG EXPLOIT KIT
Given that our foray into this space began with a detailed examination of the RIG exploit kit, it’s important to provide a thorough operational overview of how the exploit kit functions. Figure 1 illustrates typical RIG operations and will be utilized to structure subsequent discussion of those operations.

Figure 1. RIG delivery overview

As shown by the graphic below, RIG remains an active and payload-diversified exploit kit on the market today.

Figure 2. RIG exploit kit activity as of May 17, 2017 (Credit @executemalware)

COMPROMISED SITES
The beginning, and key facilitator, of RIG EK operations is the compromised site. While malvertising, chrome font pop-ups, and other methods are also responsible for driving traffic to landing pages, the most prevalent method observed during our research is injecting an iframe into compromised WordPress, Joomla!, and Drupal sites.

Figure 3. Mar 6, 2017 injected iframe

Figure 4. Mar 20, 2017 injected iframe

Figure 5. Apr 10, 2017 injected iframe

Figure 6. May 15, 2017 injected iframe

It’s not surprising to see evolving URL parameters in use by RIG EK. Historically, the exploit kit was observed rotating and reusing these type URL parameters for injected iframes, JavaScript, and so on. A historical timeline of RIG-related URL patterns are included in the RIG whitepaper (in Japanese) to be found in the LAC Cyber Grid View released in February 2017. Current RIG EK parameters are captured in Figure 7.

Figure 7. RIG URL parameters as of May 12, 2017

When evaluating a slice of compromised sites (derived from crawlers) referring traffic to RIG landing pages the registrars appear to be a somewhat typical cross-section of domain registrars (Figure 8).

Figure 8. Compromised sites with distributed registrants

GATES and TRAFFIC DISTRIBUTION SYSTEMs (TDS)
Early in our research, we observed no significant evidence of TDS or Gates being used in conjunction with major RIG campaigns (specifically PseudoDarkleech and EITEST), although there are published reports by other security researchers, such as @dynamicanalysis who covers TDS referral traffic used by GoodMan and some malvertising leading to RIG EK.

However, this began to change during the end of March, and into April and May, as several new campaigns appeared. While the GoodMan and Seamless campaigns use traditional gates, such as hurtmehard[.]net in the case of GoodMan the Decimal-IP campaign redirects traffic using integer-expressed IP addresses to reach RIG landing pages. This is likely to avoid traditional indicator of compromise (IOC) based detection measures, which is also why current threat actors have adopted such a technique (Figure 9).

Figure 9. Decimal IP redirects to RIG

LANDING PAGES
Traffic driven both by traditional gates and by iframes injected into compromised sites lead to RIG landing pages, which are the cornerstone of the RIG operational model. Figure 10 includes sample network traffic captures, while the current PCAP from the Decimal-IP campaign can be found here.

Figure 10. Network traffic to RIG landing pages

Figure 11 is a partially de-obfuscated landing page as observed in the wild on May 16^th, 2017.

Figure 11. May 16, 2017 RIG landing page

The primary purpose of RIG landing pages is to intelligently exploit incoming client machines victimizing them with a diverse set of payloads pushed by a number of different campaigns.

EXPLOITS
During the course of our investigation the most commonly observed exploits landed by RIG are well understood and Flash related (commonly exploiting CVE-2015-8651). In the course of due diligence, we compared current RIG samples with a collection of older samples, finding code and process execution similarities across numerous campaigns. Evidence to this is an easily identified Flash exploit (Figure 12).

Figure 12. RIG-related Flash exploit scan results

In addition to the noted Flash exploits, RIG landing pages were also seen to deliver payloads targeting Internet Explorer (IE) with exploits against CVE-2016-0189, CVE-2015-3419, and CVE-2014-6332 (Figure 13).

Figure 13. CVE by user agent; https://github.com/nao-sec/RigEK

While the primary focus of this discussion is not the reverse engineering of RIG landing pages or related exploits, it is important to mention that several strong technical walk-throughs exist within current security research. Specifically, we recommend examples from RSA Research and nao_sec.

PAYLOADS
The multitude of payloads delivered by RIG are constantly in flux and are largely dependent on the various campaigns utilizing RIG delivery. Over the course of our investigation we noted an initial heavy persistence of RIG-delivered Cerber, a favorite of the PseudoDarkleech (PDL) campaign. Activity for PDL trailed off in April, largely remaining quiet (or stealthier). A technical walk-though on the Cerber payload can be found in Appendix A.

Figure 14. Your friendly Cerber welcome screen

EITEST was the second most active campaign noted in our early research. It is still active and delivering a wide variety of malicious payloads (e.g., the Dreambot banking trojan), but often falls back to the reliable income of ransomware. Specifically noted were payloads of Cerber, CryptoShield, Sage, and Spora in February and March. A technical walk-through of the CryptoShield payload is found in Appendix B.

Figure 15. CryptoShield welcome screen

The Decimal-IP campaign, one of two recently active campaigns leveraging RIG, has recently been observed delivering smokeloader (sample). Among the several researchers actively following this activity, zerophage has several technical walk-throughs with a sample of network traffic in Figure 16.

Figure 16. Decimal IP redirect delivers Smokeloader

Seamless, the final campaign addressed in this research, has recently been observed delivering Latentbot and Ramnit ransomware. Relevant technical documentation on this campaign exists from both Cisco and Brad Duncan, who annotated Figure 17.

Figure 17. Seamless campaign delivery of Ramnit ransomware as seen in network traffic

FOOTPRINTING A SHADOW INFRASTRUCTURE
How does this infrastructure look in a snapshot of RIG operations? Leveraging known RIG landing pages over the period of February 21-27, Maltego (including keys for PassiveTotal and Domain Tools for correlation and enrichment) was utilized to generate a snapshot of RIG operational infrastructure as it relates to the EITEST and PDL campaigns (Figure 18).

Figure 18. Sample of RIG operational infrastructure as observed from 27 Feb, 2017

During analysis we noted three interesting aspects of this infrastructure. First, there was a high degree of target IP subnet re-use in RIG activity observed from the end of February through March and into early April.

Figure 19. RIG backend hosting ASNs

In past research, we discussed the significance and availability of bulletproof hosting for crimeware actors. RSA Research observed RIG-related Autonomous System Numbers (ASNs) fall primarily within a core group of ‘commercially obfuscated’ bulletproof hosting providers (e.g. TimeWeb). Specifically, these ASNs have enough legitimate mixed-used traffic (making them unlikely to be blacklisted) to provide obfuscated operational relay for crimeware actors. A cursory OSINT search turns up numerous indicators supporting this assertion:

Almost predictably, attempts to crawl domains hosted within RIG-related netblocks (Figure 19) did not turn up a single instance of an injected iframe (with substring matches based on Figure 7 patterns) referring traffic to RIG landing pages. This may indicate sites compromised for this purpose may specifically be targeted for their proximity and draw of Western traffic, especially given what we know about some payloads’ country and language whitelisting.

Secondly, we noted heavy SSL certificate re-use, which we initially believed might be RIG related; however, further investigation demonstrated certificate proliferation across a large number of ASN-localized domains (e.g., see Figure 20). Based on these findings, we assess that these SSL certs are not RIG related and likely employed generically by the hosting provider(s).

Serial Issuer Organization Shodan Listing

620617 GeoTrust Inc. https://www.shodan.io/search?query=ssl.cert.serial%3A620617

983750 GeoTrust, Inc. n/a

66288 GeoTrust Inc. https://www.shodan.io/search?query=ssl.cert.serial%3A66288

Figure 20. Shodan certificate details; shodan.io

Examination of Whois registration details for RIG landing page domains revealed GoDaddy as the primary registrar. Figure 21 is a Maltego screenshot breaking down Registrars for 395 unique subdomains verified to be serving RIG landing pages between Feb 21 and Apr 10, 2017.

Figure 21. RIG landing pages with common registrar

Based on these findings, we isolated all individual registrant emails owning these subdomains (initially blocking out the generic registrants, e.g., abuse@). Taking these registrant emails in batches we proceeded to identify all related domains and subdomains – successfully identifying thousands of shadow domains hosted by a major provider. Figure 22 is a Maltego screenshot of more than 2200 subdomains registered to 18 GoDaddy registrants, each of which were actively abused during RIG operations from Mar 25 to Apr 5, 2017. These are believed to be compromised accounts.

Figure 22. Compromised accounts being used for shadow domains

Subdomains owned by these compromised accounts appear to be shadowing legitimate GoDaddy domains and are hosting current RIG landing pages in the foreign net blocks previously referenced (Figure 19). DNS A records provide further evidence of this observation as seen in Figures 23 and 24 (courtesy of centralops.net)

Figure 23. Sample DNS records for a shadow domain

Figure 24. March 28, 2017 – DNS A record for a shadow domain

The actors behind RIG routinely clean up and delete the subdomain and DNS A records before new shadows are created. Preliminary analysis of shadow domain DNS A records indicates a lifespan of 5-10 days before deletion. That being said, we also believe the actual availability of these shadow domains based on backend hosting (i.e., ASNs in Figure 19) is likely closer to 24-48hrs. Evidence to this fact is the creation and subsequent removal of this shadow domain from DNS records on March 30, 2017 (Figure 25).

Figure 25. March 30, 2017 – Cleaned up DNS records for shadow domain

This activity has continued into April and May, as shown in Figure 26 below.

Figure 26. May 16, 2017 RIG shadow domain seen via DNS A records

COLLABORATION WITH GODADDY
Due to the high incidence of GoDaddy-registered domains, GoDaddy was engaged as a collaborative partner in documenting the shadow domain infrastructure. Having a focused view provided a unique vantage point for examining the shadow DNS entries. Through their analysis, GoDaddy identified various metrics that could provide visibility into the threat actors’ tactics, techniques, and procedures. These methods were subsequently used to pinpoint and observe domain shadowing activity. The infrastructure developed for these purposes provided visibility needed to understand the problem further.

Historical domain shadowing activity was analyzed over a 60-day window using various identified patterns of behavior. During this period, RIG shadow activity was observed to be using one primary pattern for subdomain generation consisting of words selected at random from a fixed wordlist (e.g., ‘red’, ‘admin’, ‘info’, ‘save’, and ‘new’).

RSA Research also verified these shadow domains as RIG-related by correlating both the destination IPs in GoDaddy DNS data (i.e. where the DNS A records were pointing for shadow domains) with RSA-observed RIG backend netblocks (Figure 19), as well as sandboxing active shadow domains. Figures 27 and 28, observed in early May, illustrate shadow domains in use as RIG Landing Pages. These results consistently accepted current RIG URL patterns and dropped known .swf exploits (e.g., md5: dc7d6b8b623fdf82a8ba48195bd1bdbf).

Figure 27. Sandboxing a shadow domain serving as RIG landing page.

Figure 28. Sandboxing another shadow domain serving as RIG landing page

Additionally, domain-shadowing activities following several alternative patterns were identified during the course of this investigation. In totality, shadowing activity was seen to affect hundreds of customers, with each having on average 150 shadow registrations injected into their DNS records. Daily DNS modifications were measured to be about 450 new shadow subdomains per day. The source initiating a vast majority of these record changes are browser invocations by an unknown client or multiple clients on the TOR network.

The most prominent domain-shadowing pattern was identified to be using a random 3-5 letter subdomain name consisting of alphanumeric characters. Example subdomains observed in this set are ‘m47xh’, ‘mv6’, ‘eeiv’, ‘l4pj2’, ‘eiq0s’, and ‘bthi’. This set is most numerous and consists of over 95% of current shadow registrations. This shadowing activity was observed in over 30,000 subdomains total affecting over 800 domains. The active subdomains were constantly fluctuating with entries continually being added and removed in an automated fashion with an average of 900 record modifications per day.

Figure 29. Active shadows during period of observation

Preliminary OSINT analysis of this activity indicates that this pattern may be related to ongoing malspam and malvertising activity, leading to a broad spectrum of crimeware deliveries. Examples of these activities are shown below in Figures 30 and 31.

Figure 30. Spam from other shadow domains?

Figure 31. Google dorking other shadow domains

Collectively, the shadow records identified pointed to approximately 240 unique IP addresses over 20 different class C subnets. Unfortunately, additional analysis of destinations was not possible, as the associated hosting providers were not engaged in the course of our investigation. Identification of this behavior has led to it being shutdown at scale as described below in the “Remediation” section.

AN ECOSYSTEM FUELED BY COMPROMISED CREDENTIALS
The fact that these campaigns so heavily rely on compromised credentials is somewhat eye opening. Yet, from the discussion above, we have high confidence that RIG landing pages are almost (if not) exclusively hosted on short-lived shadow subdomains of compromised domains (and accounts) and being served out of near bulletproof ASNs in Eastern Europe. How were these credentials being harvested?

The Internet, rife with info-stealers for years, has a number of viable campaigns that may need to be evaluated for attribution. An effort to cross-correlate these compromised credentials against the last several years’ PONY dumps had negative results, indicating that those campaigns were not likely culprits. Many other options do exist though.

In terms of the shadow domains themselves, it is believed that the threat actors waging these campaigns rely upon sophisticated phishing operations to acquire legitimate customer credentials (e.g., Figure 32). GoDaddy’s 17 million customers and 71 million domain names makes them a natural target for wide-scale and sophisticated phishing attacks. GoDaddy continues to advocate for Two Factor Authentication (TFA) and actively work with hosting providers serving these phishing pages to take down sites hosting this malicious content.

Figure 32. A previous GoDaddy targeted spear-phishing campaign

In terms of the compromised sites (sites referring traffic via injected iframes to GoDaddy shadow domains), the cross section of affected domain registrars implies a more opportunistic approach. While it remains unclear what methods may have been employed as a means for harvesting these credentials, community research exists on the usage of IoT botnets to brute force WordPress sites.

If these observations and speculations are valid, perhaps we need to consider the RIG operations model as more of an ecosystem as suggested by Figure 33.

Figure 33. Speculated RIG ecosystem

REMEDIATION
The documented shadow activity has been removed from GoDaddy’s DNS systems. Domain shadowing has, historically, been a challenging problem due to records being infrequently checked, numerous, and created under legitimate domains. Working with RSA, GoDaddy was able to apply data analytics to isolate and remove the offending shadow domains. Known-bad destination IP addresses have been blacklisted in GoDaddy’s DNS system. Additionally, compromised customer accounts have been locked and require a credential change to prevent future misuse.

The focus moving forward is to continue developing processes for at-scale detection and removal of malicious DNS records, as well as to integrate preventative measures into the domain modification data flow. As these efforts mature in their ability to prevent and disrupt shadowing, the direction will shift away from reliance of submitted indicators for ad-hoc remediation. Instead, they will depend on the analysis of internal datasets to identify and remove malicious records in an automated fashion.

Success in these areas will minimize Time to Detection and Time to Remediation while significantly reducing the shadow domains’ lifespan. Architectural mitigations are also being evaluated for integration into accounts at high risk for domain shadowing. This path of action will keep GoDaddy accounts more secure and reduce the effectiveness of domain shadowing as a technique for malware distribution.

IMPACT and CONCLUSION
While measuring impact of any takedown operation is difficult, especially given limited visibility into threat actor activity, preliminary analysis indicates a significant loss of capabilities to RIG operations, specifically to current Seamless and Decimal IP campaigns (as shown in Figure 34). Longevity of impact is still under joint evaluation by GoDaddy and RSA teams.

Figure 34. RIG backend not available for Decimal IP Campaign

Determining the impact of such a takedown on the inextricable pile of ongoing ransomware, malvertising, and malspam campaigns is significantly more challenging. What we do know is that on May 16, 2017, tens of thousands of active shadow domain resources were removed from an active crimeware actor’s operational capabilities.

This report concludes this phase of our research and related findings; however, we anticipate further joint research on the role that domain shadowing operations play in the larger crimeware ecosystem.