In mid-January, Twitter users @NaomiSuzuki_ and @KesaGataMe0 identified nearly 20 malicious phishing domains spoofing AEON Bank in Japan. The domains were tied to MoqHao, a malware family targeting Android OS devices, primarily in Japan, South Korea, and Taiwan:
Figure 1 – Seed Twitter Post
Passive DNS Data
Using Team Cymru’s Pure Signal Platform, we performed a wildcard search for domains using the pattern of ‘t.aeo*.com’. This search identified all of the domains and the hosting IP addresses previously found by @NaomiSuzuki_ and @KesaGataMe0.
|IP Address||AS Name||Hostname||First Seen|
|188.8.131.52||Gigabit Hosting, MY||t.aeokc.com||2021-01-07|
|184.108.40.206||Gigabit Hosting, MY||t.aeomnv.com||2021-01-07|
|220.127.116.11||Parfumuri Femei, RO||t.aeomq.com||2021-01-13|
|18.104.22.168||Gigabit Hosting, MY||t.aeoin.com||2021-01-11|
|22.214.171.124||Gigabit Hosting, MY||t.aeomg.com||2021-01-14|
|126.96.36.199||Gigabit Hosting, MY||t.aeomh.com||2021-01-15|
|188.8.131.52||Gigabit Hosting, MY||t.aeomu.com||2021-01-13|
|184.108.40.206||Gigabit Hosting, MY||t.aeomc.com||2021-01-15|
|220.127.116.11||Gigabit Hosting, MY||t.aeoxq.com||2021-01-18|
|18.104.22.168||Gigabit Hosting, MY||t.aeodr.com||2021-01-08|
|22.214.171.124||Gigabit Hosting, MY||t.aeoxi.com||2021-01-08|
Table 1 – Domains Spoofing Aeon Bank
From this list we can see that several of the IP addresses were used to host two or more domains:
|IP Address||AS Name|
|126.96.36.199||Gigabit Hosting, MY|
|188.8.131.52||Gigabit Hosting, MY|
|184.108.40.206||Gigabit Hosting, MY|
|220.127.116.11||Gigabit Hosting, MY|
Table 2 – IP Addresses Hosting Multiple Phishing Domains
Performing a passive DNS search on these IP addresses identifies another pattern of spoofed domains, this time targeting Japan’s The 77 Bank, Ltd.
Figure 2 – PDNS Results for Phishing Infrastructure
By performing another wildcard domain search for ‘77*bnk.com’ we identified the following:
|IP Address||AS Name||Name Queried||Min of Timestamp|
|18.104.22.168||Gigabit Hosting, MY||77cbnk.com||2021-01-07|
Table 3 – Domains Spoofing The 77 Bank
Several of these domains, including 77cbnk.com, 77bbnk.com, and 77bac.com were already observed by Twitter sleuths @NaomiSuzuki_ and @KesaGataMe0.
Note: A domain spoofing Japan’s Jibun Bank, ‘t.auznw.com’ was also hosted on 22.214.171.124, but we couldn’t find any more domains that followed the same pattern. Likewise, the domains ‘aetvk.com’, ‘aenbv.com’, ‘aeenm.com’, and ‘aenvv.com’ were also used to spoof AEON Bank (using a slightly different naming pattern) but did not lead to any additional discoveries.
Looking at our X.509 certificate records, we find one certificate hosted on IP address 126.96.36.199:
|Issuer DN||C=US, O=Let’s Encrypt, CN=R3|
|Validity||2021-01-11 07:49:38 to 2021-04-11 07:49:38 (90 days)|
Table 4 – x509 Certificate Associated with aeoob.com
None of the other domains appeared to have an associated certificate, so it is unknown why the domain ‘aeoob.com’ is the exception. Nonetheless, it’s an additional data point to look out for in the future.
Looking at netflow, we see over 250 unique Japanese IP addresses connecting over TCP port 443 (HTTPS) to the IP addresses in Table 2. The connecting IP addresses are all registered to Softbank, NTT, OPTAGE, or NTT Docomo, indicating they are likely residential customers. The vast majority of overall TCP/443 traffic to these IP addresses came from Japan, so the traffic likely represents victims who fell prey to the phishing campaign.
The actors appear to have covered their tracks carefully. A high percentage of the netflow traffic directed at five of the eight IP addresses listed in Table 2 came from 188.8.131.52 (IDC Frontier Inc., JP) and 184.108.40.206 (EHOSTIDC, KR), both of which are Tor exit nodes.
Figure 3 – Top Communicating IP Addresses in NetFlow Data
While we can’t draw any further conclusions as to attribution of this activity at this stage, with Team Cymru’s Pure Signal platform we can continue to monitor new spoofed banking domains and IP addresses as they appear.