APT operators are humans, and humans are lazy and make mistakes. A common pattern seen in APT operations is “sleeping cycles” of domain names. Once an APT operator doesn’t need a C&C domain name, it gets pointed to a parking IP. This might be done to hide the real destination of the C&C communication, but backbackfires, as:
- spotting “sleeping cycles” in DNS resolutions is possible and reveals a number of potential C&C domain names.
- using the same set of “magic” parking IPs can be used as a low probability attribution method to single out APT operators.
Sleeping cycles of C&C domain names
“Sleeping cycles” are a set of oscillating domain name resolutions. They can be spotted in passive DNS data by looking for changing DNS resolutions. A domain name resolves to a C&C IP and switches after some time to a parking IP. Time passes and the resolution switches back to the C&C IP. Parking IPs can be reserved IP addresses like 127.0.0.2 or IPs of public services like 216.58.213.206 (google.com) or “magic” IPs like 40.40.40.40, which will be discussed in this article.
Public available passive DNS databases are mostly not fine grained enough to record those cycles. They get fed by public DNS resolvers, which usually do not see C&C IP resolutions that often. A better approach is to query DNS resolutions of potential C&C domain names regularly or to use the internally recorded passive DNS data of organizations, which are infected by malware.
“magic” parking IP’s
A “magic” IP is a quad octet that is easily typed and “nice” to view. An example is the passive DNS resolution of the domain name “aftcpdnscheck[.]com”. Whilst there is no public report about this domain being used in APT attacks, DCSO assesses with medium confidence, that it is controlled by “CHAFER” / HELIX KITTEN (probably OilRig).
This is a rare example of the use of “magic” IPs, as the operator used every common IP from 1.1.1.1 to 222.222.222.222.
This article will focus on a subset of those IPs and will discuss if it is feasible to use some of those as easy indicators of suspicious activity.
Examples of “magic” IP’s seen in the wild
20.20.20.20
This is a static IP address, owned by Microsoft (Technology); it offers no public facing services.
20.20.20.20 country_code:US asn:3 cidr:20.0.0.0/11 cidr_size:2097152 description:Microsoft Corporation
By aggregating passive DNS data from various sources one can find about 80 domain names pointing to it, in the last 12 months. Of those domain names, besides aftcpdnscheck[.]com, four other are suspicious:
windowsdefenderconnect[.]com GuangDong NaiSiNiKe Information Technology Co Ltd
theinsta[.]chat Name.com, Inc.
thesnap[.]chat Name.com, Inc.
toyotafuelcell[.]com CSC Corporate Domains, Inc. domainabuse@cscglobal.com
30.30.30.30
This is a static IP, owned by the US Department of Defense (Military), the IP offers no public facing services.
30.30.30.30 country_code:US asn: cidr:30.24.0.0/13 cidr_size:16777216 description:Network DoD
There are only five domains pointing to it, one of them being aftcpdnscheck.com.
40.40.40.40
This is a static IP address, owned by Eli Lilly and Company (Medical), the IP offers no public facing services.
40.40.40.40 country_code:US asn:4249 cidr:40.32.0.0/11 cidr_size:4194304 description:Eli Lilly and Company
There are only seven Domains pointing to it, one of them being aftcpdnscheck[.]com.
50.50.50.50
This is a dialup-IP in the US, owned by Frontier Communications.
50.50.50.50 country_code:US asn:5650 cidr:50.48.0.0/13 cidr_size:1572864 description:Frontier Communications
There are currently 13 domain names resolving to it, two of them suspicious:
aftcpdnscheck[.]com registrar:Amazon Registrar, Inc.
icloudvn[.]com registrar:GoDaddy.com, LLC
60.60.60.60
This is a dialup-IP in Japan, owned by Jupiter Telecommunication.
60.60.60.60 country_code:JP asn:9824 cidr:60.60.0.0/17 cidr_size:327680 description:Jupiter Telecommunication Co. Ltd
There are 13 domains pointing to it, most of them malicious and controlled by CHAFER.
aftcpdnscheck[.]com registrar:Amazon Registrar, Inc.
sexarabic[.]xyz registrar:Go Daddy, LLC
firstec[.]ltd registrar:Alibaba Cloud Computing Ltd.
dnmails[.]gq registrar:Freenom
cattelecam[.]com registrar:PublicDomainRegistry[.]com
windowscredcity[.]com registrar:TUCOWS, INC.
firstec[.]ltd registrar:Alibaba Cloud Computing Ltd.
j-alam[.]com registrar:BigRock Solutions Limited
yjksdrl[.]tk T:dyndns
70.70.70.70
This is a dialup-IP in Canada, owned by Shaw Communications.
70.70.70.70 country_code:CA asn:6327 cidr:70.70.64.0/19 cidr_size:1048576 description:Shaw Communications Inc.
There are only three domains pointing to it, two of them are suspicious Besides aftcpdnscheck[.]com, there is:
econ24.tk T:dyndns
80.80.80.80
This is a routed IP with a webserver listening (Freenom). There are tons of domains pointing to it, it seems to be a parking IP used by Freenom.
90.90.90.90
This is a dialup-IP in France, owned by Orange.
90.90.90.90 country_code:FR asn:3215 cidr:90.90.88.0/22 cidr_size:2048 description:Orange
There are 15 domains pointing to it, besides aftcpdnscheck[.]com another one being suspicious:
aikeyouxuan.tech registrar:Alibaba Cloud Computing Ltd. emails:jshdchtd[@]163.com
Recommendation
Defenders should check for DNS resolutions to those “magic IP’s”. But please be aware that other, non-malicious actors may use those IPs as well.
Who we are
The Threat Intelligence -Team helps clients to reduce the threat posed by adversaries for their networks by leveraging the power of collaborative defense in combination with comprehensive analytics and contextualized threat intelligence. DCSO delivers actionable intelligence on all levels – from atomic Indicators of Compromise (IoC) to insights into the political, economic and cultural context of adversaries.