Author: Heige (a.k.a Superhei) of KnownSec 404 Team https://twitter.com/80vul 09/08/2021
Yesterday, a detailed article on “behavior mapping” in cyberspace was published. The article introduced an example of using a ZoomEye query to get all the Trickbot C2 ips all at once:
Today I will bring you another typical case: How to hunt more BazarLoader C2s through a ZoomEye Query?
I noticed on September 1 that @TheDFIRReport released two ip addresses about BazarLoader C2 https://twitter.com/TheDFIRReport/status/1433055791964049412
#BazarLoader
64.227.73.80
64.225.71.198
Through the search of ZoomEye, I found that their banners are very similar, which is the feature of “behavioral mapping” mentioned in our article yesterday.
Through the search of ZoomEye, I found that their banners are very similar, that is, the feature of “behavioral mapping” mentioned in our article yesterday. Of course, there is also a detailed difference of “Connection: close” which is the same as that of Trickbot.
Through the search of ZoomEye, I found that their banners are very similar, that is, the feature of “behavior mapping” mentioned in our article yesterday. Of course, there is also a detailed difference of “Connection: close” which is the same as that of Trickbot, so I You can start with one of them, I chose 64.227.73.80:443
After several query tests, I got this special ZoomEye dork:
“HTTP/1.1 404 Not found” +”Server: nginx” +”Content-Type: text/html; charset=UTF-8" +”Connection: close Date” -”Content-Length” -”<head>” -”Cache-Control”
I found 157 pieces of data, most of which are concentrated on port 443, which is consistent with the sample 64.227.73.80:443, so I decided to download these data and extract the “issuer” and related domain names in the certificate and the results are as follows:
From the related results and information of the Issuer: of the certificate, there are obvious behavioral characteristics, for example, many characters such as “System, CN=” are included, so after testing, the false positive IP address is excluded, and finally ZoomEye dork is obtained:
(ssl:”System,CN” ssl:”Amadey Org,CN” ssl:”O=Global Security,OU=IT Department,CN=example.com” ssl:”NZT,CN” ssl:”O=Lero,OU=Lero” ssl:”Security,OU=Krot” ssl:”O=Shioban,OU=Shioban”) +”HTTP/1.1 404 Not found” +”Server: nginx” +”Content-Type: text/html; charset=UTF-8" -ssl:”OU=System” -ssl:digicert -”Content-Length” -”Connection: keep-alive”
As a result, we have achieved 254 C2 ip addresses suspected to be used by BazarLoader through a ZoomEye query,Of course, we analyze and extract the 254 pieces of data, including the domain name and JARM in the certificate and the results are as follows:
C2 IPs COUNTRY Top 10 :
United States 112
The Netherlands 53
Germany 22
United Kingdom 15
Romania 11
Czech 8
Latvia 8
Moldova 4
Russia 4
France 3C2 IPs ORGANIZATION Top 10 :
Amazon.com, Inc. 79
DigitalOcean, LLC 68
International Hosting Solutions LLP 7
zergrush.ro 7
Sia Nano IT 6
ColoCrossing 5
DediPath 5
OVH SAS 5
Eonix Corporation 4
IP Connect Inc 4Domain name in the certificate :
amadeamadey.at 46
asdotaera.it 7
baget.fr 1
bigter.ch 3
confarencastyas.it 3
enjobero.ch 1
example.com 33
forenzik.kz 64
gosterta.fr 2
haner.it 3
hangober.uk 5
holdasdg.it 1
holdertoysar.uk 4
jerbek.fr 2
jermegib.fr 3
jersjersy.com 2
kajekin.je 6
komanchi.com 1
ksorun.it 2
laralabana.it 3
maloregerto.it 6
mataner.at 4
monblan.ua 14
munichresed.de 1
nortenarasta.fr 1
nztportu.pg 2
ofgasrty.fr 2
parismaote.fr 1
perdefue.fr 7
pnercon.tr 1
pokilorte.es 7
rosteranar.uk 1
selfoder.gb 6
smartoyab.it 1
smartoyta.uk 1
smartoytaas.it 4
zalustipar.uk 3JARM in the certificate :
2ad2ad16d2ad2ad22c2ad2ad2ad2ad7329fbe92d446436f2394e041278b8b2 9
2ad2ad16d2ad2ad22c2ad2ad2ad2ad47321614530b94a96fa03d06e666d6d6 32
2ad2ad0002ad2ad22c2ad2ad2ad2adce7a321e4956e8298ba917e9f2c22849 39
2ad2ad0002ad2ad0002ad2ad2ad2ade1a3c0d7ca6ad8388057924be83dfc6a 25