One ZoomEye Query Cleans BazarLoader C2s

heige
3 min readSep 8, 2021

--

Author: Heige (a.k.a Superhei) of KnownSec 404 Team https://twitter.com/80vul 09/08/2021

Yesterday, a detailed article on “behavior mapping” in cyberspace was published. The article introduced an example of using a ZoomEye query to get all the Trickbot C2 ips all at once:

https://80vul.medium.com/behavior-mapping-in-cyberspace-one-net-cleans-apt-and-botnet-c2s-ed49a9b7d426

Today I will bring you another typical case: How to hunt more BazarLoader C2s through a ZoomEye Query?

I noticed on September 1 that @TheDFIRReport released two ip addresses about BazarLoader C2 https://twitter.com/TheDFIRReport/status/1433055791964049412

#BazarLoader
64.227.73.80
64.225.71.198

Through the search of ZoomEye, I found that their banners are very similar, which is the feature of “behavioral mapping” mentioned in our article yesterday.

Through the search of ZoomEye, I found that their banners are very similar, that is, the feature of “behavioral mapping” mentioned in our article yesterday. Of course, there is also a detailed difference of “Connection: close” which is the same as that of Trickbot.

Through the search of ZoomEye, I found that their banners are very similar, that is, the feature of “behavior mapping” mentioned in our article yesterday. Of course, there is also a detailed difference of “Connection: close” which is the same as that of Trickbot, so I You can start with one of them, I chose 64.227.73.80:443

After several query tests, I got this special ZoomEye dork:

“HTTP/1.1 404 Not found” +”Server: nginx” +”Content-Type: text/html; charset=UTF-8" +”Connection: close Date” -”Content-Length” -”<head>” -”Cache-Control”

I found 157 pieces of data, most of which are concentrated on port 443, which is consistent with the sample 64.227.73.80:443, so I decided to download these data and extract the “issuer” and related domain names in the certificate and the results are as follows:

From the related results and information of the Issuer: of the certificate, there are obvious behavioral characteristics, for example, many characters such as “System, CN=” are included, so after testing, the false positive IP address is excluded, and finally ZoomEye dork is obtained:

(ssl:”System,CN” ssl:”Amadey Org,CN” ssl:”O=Global Security,OU=IT Department,CN=example.com” ssl:”NZT,CN” ssl:”O=Lero,OU=Lero” ssl:”Security,OU=Krot” ssl:”O=Shioban,OU=Shioban”) +”HTTP/1.1 404 Not found” +”Server: nginx” +”Content-Type: text/html; charset=UTF-8" -ssl:”OU=System” -ssl:digicert -”Content-Length” -”Connection: keep-alive”

https://www.zoomeye.org/searchResult?q=(ssl%3A%22System%2CCN%22%20ssl%3A%22Amadey%20Org%2CCN%22%20ssl%3A%22O%3DGlobal%20Security%2COU%3DIT%20Department%2CCN%3Dexample.com%22%20ssl%3A%22NZT%2CCN%22%20ssl%3A%22O%3DLero%2COU%3DLero%22%20ssl%3A%22Security%2COU%3DKrot%22%20ssl%3A%22O%3DShioban%2COU%3DShioban%22)%20%2B%22HTTP%2F1.1%20%20404%20Not%20found%22%20%2B%22Server%3A%20nginx%22%20%2B%22Content-Type%3A%20text%2Fhtml%3B%20charset%3DUTF-8%22%20-ssl%3A%22OU%3DSystem%22%20-ssl%3Adigicert%20-%22Content-Length%22%20-%22Connection%3A%20keep-alive%22

As a result, we have achieved 254 C2 ip addresses suspected to be used by BazarLoader through a ZoomEye query,Of course, we analyze and extract the 254 pieces of data, including the domain name and JARM in the certificate and the results are as follows:

https://pastebin.com/Y9T4KKYr

C2 IPs COUNTRY Top 10 :

United States 112
The Netherlands 53
Germany 22
United Kingdom 15
Romania 11
Czech 8
Latvia 8
Moldova 4
Russia 4
France 3

C2 IPs ORGANIZATION Top 10 :

Amazon.com, Inc. 79
DigitalOcean, LLC 68
International Hosting Solutions LLP 7
zergrush.ro 7
Sia Nano IT 6
ColoCrossing 5
DediPath 5
OVH SAS 5
Eonix Corporation 4
IP Connect Inc 4

Domain name in the certificate :

amadeamadey.at 46
asdotaera.it 7
baget.fr 1
bigter.ch 3
confarencastyas.it 3
enjobero.ch 1
example.com 33
forenzik.kz 64
gosterta.fr 2
haner.it 3
hangober.uk 5
holdasdg.it 1
holdertoysar.uk 4
jerbek.fr 2
jermegib.fr 3
jersjersy.com 2
kajekin.je 6
komanchi.com 1
ksorun.it 2
laralabana.it 3
maloregerto.it 6
mataner.at 4
monblan.ua 14
munichresed.de 1
nortenarasta.fr 1
nztportu.pg 2
ofgasrty.fr 2
parismaote.fr 1
perdefue.fr 7
pnercon.tr 1
pokilorte.es 7
rosteranar.uk 1
selfoder.gb 6
smartoyab.it 1
smartoyta.uk 1
smartoytaas.it 4
zalustipar.uk 3

JARM in the certificate :

2ad2ad16d2ad2ad22c2ad2ad2ad2ad7329fbe92d446436f2394e041278b8b2 9
2ad2ad16d2ad2ad22c2ad2ad2ad2ad47321614530b94a96fa03d06e666d6d6 32
2ad2ad0002ad2ad22c2ad2ad2ad2adce7a321e4956e8298ba917e9f2c22849 39
2ad2ad0002ad2ad0002ad2ad2ad2ade1a3c0d7ca6ad8388057924be83dfc6a 25

--

--