“Behavior Mapping” in Cyberspace — One Net(Query) Cleans APT and Botnet C2s

heige
4 min readSep 7, 2021

--

Author: Heige (a.k.a Superhei) of KnownSec 404 Team https://twitter.com/80vul 09/07/2021

“Behavior (American English) or behaviour (British English; see spelling differences) is the actions and mannerisms made by individuals, organisms, systems or artificial entities in conjunction with themselves or their environment, which includes the other systems or organisms around as well as the (inanimate) physical environment. It is the computed response of the system or organism to various stimuli or inputs, whether internal or external, conscious or subconscious, overt or covert, and voluntary or involuntary.”

— from https://en.wikipedia.org/wiki/Behavior

Cyberspace is the activity space of humans on the Internet, so different groups or individuals of humans will form certain unique network behaviors in cyberspace. These behaviors can express different customized configurations of device services, such as ports that are habitually used., Habitual use of the service version and configuration, habitual modification to a specific certificate, etc.

In cyberspace surveying and mapping, we can sort out and identify the behavior of these specific groups by analyzing the banner data served by the equipment, so as to identify all possible individuals in the specific group. This is the so-called “behavior mapping”.

In fact, in cyberspace surveying and mapping, the default configuration and other fingerprints are used to identify similar network devices, which in itself takes advantage of the behaviors brought about by human “laziness”. In another example, it is estimated that the traditional defense thought: the more important the place, the security defense is definitely the strongest! Then we can identify the thought and behavior of this kind of security deployment and find the core and important facilities. In the cyberspace, all security devices, such as firewalls, honeypots and etc , are used for defense, so we can identify these security devices by Distribution to identify core assets.

Of course, in the article I wrote earlier( https://80vul.medium.com/cyberspace-surveying-and-mapping-in-national-power-outages-and-network-outages-events-925034d79c7a ), the behavior of power outages and network disconnections in real space is mapped to cyberspace, and the progress and trends of real space events can be inferred by analyzing network behaviors, etc.

What happens if we use “behavior mapping” to track and capture malicious groups such as APTs and botnets?

In practice, we found that many C2 servers used by malicious organizations such as APTs and botnets may have their own unique banners. This is the unique behavior of these malicious organizers in cyberspace.

Let’s use the example of Trickbot to illustrate: https://twitter.com/TheDFIRReport/status/1427604874053578756 @TheDFIRReport published a tweet on August 17, 2021, providing three C2 IP addresses used by Trickbot

185.56.76.94:443
24.162.214.166:443
60.51.47.65:443

The result of visiting through Curl is as follows:

185.56.76.94:443 has been offline

~ » curl -i https://24.162.214.166 -k
HTTP/1.1 403 Forbidden
Server: nginx/1.14.2
Date: Tue, 17 Aug 2021 14:07:25 GMT
Content-Length: 9
Connection: keep-alive

Forbidden%

~ » curl -i https://60.51.47.65 -k
HTTP/1.1 403 Forbidden
Server: nginx/1.14.0 (Ubuntu)
Date: Tue, 17 Aug 2021 14:08:03 GMT
Content-Length: 9
Connection: keep-alive

Forbidden%

It seems that their banners are very similar, except for the difference between “Server: nginx/1.14.2” and “Server: nginx/1.14.0 (Ubuntu)”. Of course, the https certificate is also my core concern. After obtaining the certificate, I found that the two have the same certificate “subject” and “issuer”:

subject: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd
issuer: C=AU; ST=Some-State; O=Internet Widgits Pty Ltd

At this point, I think I should have captured the behavioral characteristics of the Trickbot organization, and The ZoomEye dork:

“HTTP/1.1 403 Forbidden” +”Server: nginx” +”Content-Length: 9" +”Issuer: C=AU,ST=Some-State,O=Internet Widgits Pty Ltd”

https://www.zoomeye.org/searchResult?q=%22HTTP%2F1.1%20403%20Forbidden%22%20%2B%22Server%3A%20nginx%22%20%2B%22Content-Length%3A%209%22%20%20%2B%22Issuer%3A%20C%3DAU%2CST%3DSome-State%2CO%3DInternet%20Widgits%20Pty%20Ltd%22

I noticed that there are some nuances in these banners, such as some “Connection: close” and some not. So in order to verify whether this is a necessary behavior feature, I tested all the results with “Connection: close”.

A total of 172 pieces of data, and then I detected these IP data through virustotal, and found that 126 of them have Malicious tags, so the hit rate in virustotal: 126/172=73%.

Through this practice, I have reason to believe that behavior mapping is very effective, and many new IPs that have not been marked as malicious have been captured. For those IPs that have been marked, only a small number of IPs have been marked as owned by the Trickbot organization. This behavior Mapping can also help us classify malicious IP owners.

As we all know, the traditional intelligence analysis of malicious organizations such as APT and botnets relies on the analysis of malicious program samples. This is a passive method. The IoCs obtained are limited and it is easy to miss some C2 IP addresses. Therefore, through cyberspace “behavior mapping”, all C2 addresses used by target malicious organizations can be actively tracked and captured.

Then we can combine our “dynamic surveying and mapping” concept and use the function of ZoomEye data subscription (https://www.zoomeye.org/profile/subscribe ) to dynamically monitor the server equipment used by malicious organizations such as APT and botnets.

Finally, I want to mention that today I saw a piece of news about “TrickBot gang member arrested after getting stuck in South Korea due to COVID-19 pandemic”, so I am not sure if my article can be read by them :)

Thanks to everyone, happy searching for using ZoomEye!

--

--

heige
heige

No responses yet