Last year we posted two blogs detailing our methodology for tracking GhostDNS infrastructure:
In summary, Part 1 focused primarily on the identification of Rogue DNS servers and Part 2 on the discovery and assessment of HTTP phishing infrastructure. This blog provides an update on all infrastructure we have observed since that time – focusing on the period 1st November 2020 to 15th January 2021. As previously, we continue to share details of our investigations, including victim details, with CERT.br.
In December 2020, we posted details of four GhostDNS Rogue DNS servers on our twitter page:
These four servers were identified using queries for the string dnscfg.cgi?dnsPrimary= before being cross-referenced against other datasets – confirming them as GhostDNS infrastructure:
220.127.116.11 (OVH, FR)
18.104.22.168 (OVH, FR)
22.214.171.124 (OVH, FR)
126.96.36.199 (OVH, FR)
Note: All four IP addresses are assigned to OVH, FR – however, the first three geolocate to Brazil and the remaining IP address (188.8.131.52) geolocates to the United States.
In identifying these Rogue DNS servers, we also observed 55 IP addresses being used by threat actors to update the DNS settings of vulnerable routers. We previously defined these IP addresses as Changer IP addresses – a full list of all identified infrastructure is provided at the end of this blog.
The below image provides an example of Changer IP address identification within Team Cymru’s cyber reconnaissance platform (victim IP addresses have been redacted to protect their privacy).
Returning to the four previously referenced Rogue DNS servers and repeating the methodology outlined in our previous blogs, we pivoted on potential victim IP addresses (specifically looking at UDP/53 traffic) in order to identify additional candidate Rogue DNS servers.
In total 14 Rogue DNS servers were identified being queried by potential victims during our period of interest (1st November 2020 to 15th January 2021), of which nine did not appear in our previous blogs.
The below timeline provides an overview of when these Rogue DNS servers were ‘active’ – based on first and last seen timestamps.
HTTP Phishing Infrastructure
In our second GhostDNS blog, we examined the HTTP phishing infrastructure element of the attack cycle, providing an x.509 certificate being used by one distinct GhostDNS threat group (CDD):
SHA1 – 8D9B394BA67D1913566115094C1AD0257FEFF26E
During our period of interest, we observed two IP addresses hosting this certificate:
184.108.40.206 (most recently 24th December 2020)
220.127.116.11 (most recently 2nd November 2020)
In addition to the IP addresses hosting the x.509 certificate, a further HTTP phishing server (18.104.22.168) was identified based on passive DNS data for Rogue DNS server 22.214.171.124 (an example of this data is displayed below).
In this image, some of the sites/brands targeted by GhostDNS are evident – including Facebook and Netflix.
Three further HTTP phishing servers were identified based on DNS queries performed during the course of writing this blog – and therefore represent the most recent infrastructure:
Indicators of Compromise
Note: The below IOCs were all observed during the period 1st November 2020 – 15th January 2021 and include some IOCs which were shared in our previous blogs.
HTTP Phishing servers 
Rogue DNS servers 
Changer IP addresses