Using "magic" DNS-resolutions to track suspicious domains

APT operators are humans, and humans are lazy and make mistakes. A common pattern seen in APT operations is “sleeping cycles” of domain names. Once an APT operator doesn’t need a C&C domain name, it gets pointed to a parking IP. This might be done to hide the real destination of the C&C communication, but backbackfires, as:

• spotting “sleeping cycles” in DNS resolutions is possible and reveals a number of potential C&C domain names.
• using the same set of “magic” parking IPs can be used as a low probability attribution method to single out APT operators.

Sleeping cycles of C&C domain names

“Sleeping cycles” are a set of oscillating domain name resolutions. They can be spotted in passive DNS data by looking for changing DNS resolutions. A domain name resolves to a C&C IP and switches after some time to a parking IP. Time passes and the resolution switches back to the C&C IP. Parking IPs can be reserved IP addresses like 127.0.0.2 or IPs of public services like 216.58.213.206 (google.com) or “magic” IPs like 40.40.40.40, which will be discussed in this article.

Public available passive DNS databases are mostly not fine grained enough to record those cycles. They get fed by public DNS resolvers, which usually do not see C&C IP resolutions that often. A better approach is to query DNS resolutions of potential C&C domain names regularly or to use the internally recorded passive DNS data of organizations, which are infected by malware.

“magic” parking IP’s

A “magic” IP is a quad octet that is easily typed and “nice” to view. An example is the passive DNS resolution of the domain name “aftcpdnscheck[.]com”. Whilst there is no public report about this domain being used in APT attacks, DCSO assesses with medium confidence, that it is controlled by “CHAFER” / HELIX KITTEN (probably OilRig).

This is a rare example of the use of “magic” IPs, as the operator used every common IP from 1.1.1.1 to 222.222.222.222.

This article will focus on a subset of those IPs and will discuss if it is feasible to use some of those as easy indicators of suspicious activity.

Examples of “magic” IP’s seen in the wild

20.20.20.20

This is a static IP address, owned by Microsoft (Technology); it offers no public facing services.

20.20.20.20 country_code:US asn:3 cidr:20.0.0.0/11 cidr_size:2097152 description:Microsoft Corporation

By aggregating passive DNS data from various sources one can find about 80 domain names pointing to it, in the last 12 months. Of those domain names, besides aftcpdnscheck[.]com, four other are suspicious:

windowsdefenderconnect[.]com   GuangDong NaiSiNiKe Information Technology Co Ltd
theinsta[.]chat                Name.com, Inc.
thesnap[.]chat                 Name.com, Inc.
toyotafuelcell[.]com           CSC Corporate Domains, Inc. domainabuse@cscglobal.com

30.30.30.30

This is a static IP, owned by the US Department of Defense (Military), the IP offers no public facing services.

30.30.30.30 country_code:US asn: cidr:30.24.0.0/13 cidr_size:16777216 description:Network DoD

There are only five domains pointing to it, one of them being aftcpdnscheck.com.

40.40.40.40

This is a static IP address, owned by Eli Lilly and Company (Medical), the IP offers no public facing services.

40.40.40.40 country_code:US asn:4249 cidr:40.32.0.0/11 cidr_size:4194304 description:Eli Lilly and Company

There are only seven Domains pointing to it, one of them being aftcpdnscheck[.]com.

50.50.50.50

This is a dialup-IP in the US, owned by Frontier Communications.

50.50.50.50 country_code:US asn:5650 cidr:50.48.0.0/13 cidr_size:1572864 description:Frontier Communications

There are currently 13 domain names resolving to it, two of them suspicious:

aftcpdnscheck[.]com           registrar:Amazon Registrar, Inc.
icloudvn[.]com                registrar:GoDaddy.com, LLC

60.60.60.60

This is a dialup-IP in Japan, owned by Jupiter Telecommunication.

60.60.60.60 country_code:JP asn:9824 cidr:60.60.0.0/17 cidr_size:327680 description:Jupiter Telecommunication Co. Ltd

There are 13 domains pointing to it, most of them malicious and controlled by CHAFER.

aftcpdnscheck[.]com               registrar:Amazon Registrar, Inc.
sexarabic[.]xyz                   registrar:Go Daddy, LLC
firstec[.]ltd                     registrar:Alibaba Cloud Computing Ltd.
dnmails[.]gq                      registrar:Freenom
cattelecam[.]com                  registrar:PublicDomainRegistry[.]com
windowscredcity[.]com             registrar:TUCOWS, INC.
firstec[.]ltd                     registrar:Alibaba Cloud Computing Ltd.
j-alam[.]com                      registrar:BigRock Solutions Limited
yjksdrl[.]tk                      T:dyndns

70.70.70.70

This is a dialup-IP in Canada, owned by Shaw Communications.

70.70.70.70 country_code:CA asn:6327 cidr:70.70.64.0/19 cidr_size:1048576 description:Shaw Communications Inc.

There are only three domains pointing to it, two of them are suspicious Besides aftcpdnscheck[.]com, there is:

econ24.tk   T:dyndns

80.80.80.80

This is a routed IP with a webserver listening (Freenom). There are tons of domains pointing to it, it seems to be a parking IP used by Freenom.

90.90.90.90

This is a dialup-IP in France, owned by Orange.

90.90.90.90 country_code:FR asn:3215 cidr:90.90.88.0/22 cidr_size:2048 description:Orange

There are 15 domains pointing to it, besides aftcpdnscheck[.]com another one being suspicious:

aikeyouxuan.tech registrar:Alibaba Cloud Computing Ltd. emails:jshdchtd[@]163.com

Recommendation

Defenders should check for DNS resolutions to those “magic IP’s”. But please be aware that other, non-malicious actors may use those IPs as well.