ScarletCitizen: Defense Through Indirect Sharing

Analyst

ScarletCitizen: Defense Through Indirect Sharing

March 10, 2016

By Nelson Pygmy

Earlier today, the Citizen Lab released a blog post outlining a technical shift in the tactics used by the Scarlet Mimic cyber threat actor. Scarlet Mimic (SM) was first reported on by Palo Alto Networks in January, and the Citizen Lab report provides additional context on the actors, and their targets.

The researchers report that SM has repurposed parts of their malware command and control infrastructure to serve phishing attacks that mimic popular online providers, like Google. Although they leave open the possibility that malware attacks continue using unreported infrastructure, this is a change from SMs previously-documented preference for attachment-based malware (combined with easily-available exploits). Finally, we can't rule out that converting burned or low-utility command and control servers to phishing might also represent a kind of down-cycling of infrastructure, before it is discarded. Phishing, in other words, may be the last stop before domains are finally given up.

In this post we use indicators from these two reports as starting points to surface additional SM infrastructure, and link it to previously-reported findings. This highlights how infrastructure analysis coupled with Open Source Intelligence (OSINT) can link and attribute the disparate indicators generated by cyber threat actors like SM.

Sensitive Targets

Before diving into the infrastructure, its important to understand the sensitive nature of the cyber attacks the Citizen Lab chooses to expose. Unlike most cyber attacks, which are motivated by financial gain or focused on theft of intellectual property, those targeting civil society are focused on the people at the other end of the keyboard. Compromising their accounts, machines or mobile devices means the actors can track, intercept, detain or even physically harm those whom they have successfully targeted.

Combating cyber attacks by these actors becomes more difficult as their targets are often part of groups with limited resources and cyber security support. These groups often compute outside of managed environments, and thus each individual is responsible for cyber security choices that can affect everyone whom they work with.

The Citizen Lab provides a valuable service to civil society by exposing cyber attacks, bringing attention to them and working with groups in order to detail their tools, tactics and infrastructure. In addition, Lab researchers can serve as a resource if you suspect a civil society group or activist organization may be among the targets you are looking at. If you are a reverse engineer, researcher or just interested in how you could help, consider contacting info@citizenlab.org.

Infrastructure Chaining

Scarlet Mimics heavy reliance on dynamic DNS domains makes their infrastructure challenging to track. Analysts often find it challenging to link specific IP addresses and other dynamic DNS domains: anyone can register them, often for limited periods of time. Unless you know the exact time period, it can be difficult to separate signal from noise. Fortunately, theres a substantial amount of information detailing these actors conducting cyber attacks dating back to 2013.

In surfacing related infrastructure, we choose to list domains or IP addresses that had at least two different known dynamic DNS domains used in a malicious cyber attack. Within PassiveTotal, we used passive DNS to find overlaps and new infrastructure, WHOIS to surface more dynamic DNS providers and passive SSL to follow groupings of server infrastructure. Using these chaining techniques, we were able to identify the following infrastructure:

updata.firewall-gateway.com
docs.servepics.com
tally.myfirewall.org
jdk.spdns.eu
extension.spdns.org
creatnimei.dyndns-wiki.com
fnvaworld.dnsget.org
webmail.myfirewall.org
sys.zonedell.com
zuni.spdns.org
kaspersky.sytes.net
account-help.firewall-gateway.com
109.169.86.6
78.129.156.218
95.154.204.207

Many of these domains and IP addresses have either been mentioned in previous open source reporting, have known malware associated with them, or show up within the cyber attack timeframes. The above indicators have been added to the PassiveTotal OSINT repository and will now show up when conducting searches within the platform.

Indirect Collaboration

Its often said that more sharing needs to take place in our industry. Its also said that trust issues make deep sharing almost impossible. While these statements may be true, we find that open source reporting (blogs, papers, indicator dumps, etc.) layered over contextual datasets, produces sharing in indirect ways. During our analysis of the information Citizen Lab reported on, we saw connections and reporting overlap from Palo Alto Networks, Cylance, Trend Micro and even previous works from the Citizen Lab. These groups may not have realized it, but by displaying all their work in one central location, they were able to surface nearly all of the infrastructure related to these cyber threat actors.

We view this concept of indirect sharing as pretty powerful, and let it guide us to some feature changes within PassiveTotal. For the past several months, we have associated tags to OSINT data which you will often see when pivoting around within the platform. After seeing the power of indirect sharing, we went a step further and decided to push classifications based on OSINT data down to each indicator. So, not only will you see the tags, but you will also get a color classification signifying the indicator you are viewing is malicious, suspicious or non-malicious. Naturally, we recognize that not everyone will agree with open source reporting, so users can easily override what is shown by default or turn off OSINT as a source altogether.

Final Thoughts

The ability to quickly pivot from the indicators in the Citizen Lab and Palo Alto reports to new indicators demonstrates the value of the PassiveTotal platform. infrastructure chaining techniques, users can click from data point to data point in order to build a complete picture of an actors command and control infrastructure. Bringing in a number of datasets into one location, combined with open source intelligence, and RiskIQs research team, makes it easier to identify and track cyber threat actors. shows that identifying a cyber threat actor doesn't have to be difficult.

Featured Posts

External Threat Management | Labs

Bear Tracks: Infrastructure Patterns Lead to More Than 30 Active APT29 C2 Servers

RiskIQ's Team Atlas has uncovered still more infrastructure actively serving WellMess/WellMail. The timing here is notable. Only one month ago, the American and Russian he...

Joining Microsoft is the Next Stage of the RiskIQ Journey

Today Microsoft announced its intent to acquire RiskIQ, representing the next stage of our journey that's been more than a decade in the making. We couldn't be more ...

Media Land: Bulletproof Hosting Provider is a Playground for Threat Actors

Bulletproof hosting (BPH) is a collection of service offerings catering to internet-based criminal activity. These businesses often operate in a grey area, attempting to appea...

Subscribe to Our Newsletter

Subscribe to the RiskIQ newsletter to stay up-to-date on our latest content, headlines, research, events, and more.

Base Editor

Forrester Wave: External Threat Intelligence Services, Q1 2021

RiskIQ Illuminate® Internet Intelligence Platform Datasheet

Five Security Intelligence Must-Haves For Next-Gen Attack Surface Management

Threat Investigations and Response RiskIQ Solution Brief

Illuminate One-Hour On-Demand Event