Mapping out AridViper Infrastructure Using Recon’s Malware Module
Cyber Reconnaissance with Team Cymru's Pure Signal™ Platform
Twitter user @BaoshengbinCumt posted malware hash faff57734fe08af63e90c0492b4a9a56 on 27 November 2020, which they attributed to AridViper (APT-C-23 / GnatSpy)[i]. This user is a researcher for Qihoo and has previously reported on the activities of AridViper.
AridViper, also known as APT-C-23 and GnatSpy, are a group active within the Middle Eastern region, known in particular to target Israeli military assets.
The Augury Malware addon was used to map out further AridViper infrastructure, by pivoting from @BaoshengbinCumt’s malware seed sample.
Note – All pivots undertaken within this exercise are detailed in the below chart and within a table at the end of the page:
faff57734fe08af63e90c0492b4a9a56
This sample, a packed Windows executable, was dropped via a malicious document disguised as a Curriculum Vitae – likely delivered in a phishing campaign.
Sandboxing of the sample identified a POST request made to hostname judystevenson[.]info.
The first pivot within the Augury Malware addon was to therefore look for other malware samples that had communicated with the C2 judystevenson[.]info.
judystevenson[.]info
Eight further samples were identified using the judystevenson[.]info C2 that was identified from the initial seed sample:
6e2d058c3508694a392194dbb6e9fe44
835f86e1e83a3da25c715e89db5355cc
89e9823013f711d384824d8461cc425d
94a5e595be051b9250e678de1ff927ac
ae0b53e6b378bf74e1dd2973d604be55
c27f925a7c424c0f5125a681a9c44607
f5bac4d2de2eb1f8007f68c77bfa460e
f93faca357f9a8041a377ca913888565
When sandboxing these samples (as well as faff57734fe08af63e90c0492b4a9a56) it was noted that the malware dropped the following file – C:\ProgramData\GUID.bin. This file was then used as the next pivot point.
C:\ProgramData\GUID.bin
18 samples had dropped this file during their execution within a sandbox environment:
1eb1923e959490ee9f67687c7faec697
20d21c75b92be3cfcd5f69a3ef1deed2
3296b51479c7540331233f47ed7c38dd
471313cb47c6165ec74088fafb9a5545
4b96fecd0c6451b30619e6e836fe7ffa
4d9b6b0e7670dd5919b188cb71d478c0
8d50262448d0c174fc30c02e20ca55ff
90cdf5ab3b741330e5424061c7e4b2e2
9bb70dfa2e39be46278fb19764a6149a
9bc9765f2ed702514f7b14bcf23a79c7
9d76d59de0ee91add92c938e3335f27f
a7cf4df8315c62dbebfbfea7553ef749
c12b3336f5efc8e83fcace6f81b27642
c4a90110acd78e2de31ad9077aa4eff6
c7d7ee62e093c84b51d595f4dc56eab1
e35d13bd8f04853e69ded48cf59827ef
e8effd3ad2069ff8ff6344b85fc12dd6
edc3b146a5103051b39967246823ca09
Five C2s were identified, associated with the above samples:
escanor[.]live
jaime-martinez[.]info
krasil-anthony[.]icu
nicoledotson[.]icu
ruthgreenrtg[.]live
Further pivots were undertaken based on ImpHash values derived from these samples and the AV signature Win32/Revokery.J, identifying a further five associated samples:
09cd0da3fb00692e714e251bb3ee6342
142a25bb5fd4612c9f6afcaad34fce37
46871f3082e2d33f25111a46dfafd0a6
758e432ed759013e0d00723c3d2af0c6
7fcfb64b1383d0d73f32dbe365fe4fdb
In addition to the five hostnames referenced above, the following two C2s were also extracted from these samples:
benyallen[.]club
chad-jessie[.]info
Pivoting on C2 chad-jessie[.]info subsequently identified a further sample:
fc5b2c81debf30d251d5220097c2f846
Returning to the original sample (faff57734fe08af63e90c0492b4a9a56), the user agent string identified in the POST request was used as another pivot.
A significant number of samples (approx. 600) were identified using this particular user agent string within C2 communications, therefore analysis focused on samples with a similar distinctive URL pattern to those samples already identified.
In undertaking this assessment, four samples were identified:
221c5982d545b4efb2cbee4e0597d154
947fd5f93c44807986f5663a739e0f46
f65e5bb6e35a3e28c2c878824293d939
f7a3f14ddbea80a1fe8653a8b71ce4df
Five C2s were identified, associated with the above samples:
jack-fruit[.]club
lordblackwood[.]club
angeladeloney[.]info
overingtonray[.]info
camilleoconnell[.]website
Pivoting on C2 angeladeloney[.]info subsequently identified a further three samples:
1d815939c4c4df5039185be9506ee88a
21aa63b42825fb95bf5114419fb42157
8b7ad86f74c3fb6d51e7cfb39fdd65be
A total of 40 malware samples were identified during this exercise, communicating with 13 C2s.
All pivots, identified samples and C2s are summarised in the below table:
UA – Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
947fd5f93c44807986f5663a739e0f46
angeladeloney[.]info
UA – Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
C2 – angeladeloney[.]info
f65e5bb6e35a3e28c2c878824293d939
overingtonray[.]info
UA – Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
f7a3f14ddbea80a1fe8653a8b71ce4df
camilleoconnell[.]website
UA – Mozilla/5.0 (compatible; Googlebot/2.1; +http://www.google.com/bot.html)
1d815939c4c4df5039185be9506ee88a
angeladeloney[.]info
C2 – angeladeloney[.]info
21aa63b42825fb95bf5114419fb42157
angeladeloney[.]info
C2 – angeladeloney[.]info
8b7ad86f74c3fb6d51e7cfb39fdd65be
angeladeloney[.]info
C2 – angeladeloney[.]info
Recent Passive DNS data was obtained for the identified hostnames, and is summarised in the table below:
Hostname
IP
Whois
angeladeloney.info
198.54.114.246
NAMECHEAP-NET, US
benyallen.club
198.54.117.197
NAMECHEAP-NET, US
chad-jessie.info
198.54.116.43
NAMECHEAP-NET, US
escanor.live
198.187.29.152
NAMECHEAP-NET, US
jack-fruit.club
198.187.29.21
NAMECHEAP-NET, US
jaime-martinez.info
162.213.253.37
NAMECHEAP-NET, US
judystevenson.info
198.54.115.130
NAMECHEAP-NET, US
krasil-anthony.icu
68.65.122.52
NAMECHEAP-NET, US
lordblackwood.club
198.54.116.157
NAMECHEAP-NET, US
nicoledotson.icu
198.54.117.200
NAMECHEAP-NET, US
overingtonray.info
104.219.248.45
NAMECHEAP-NET, US
ruthgreenrtg.live
199.188.200.253
NAMECHEAP-NET, US
The use of NameCheap infrastructure has been observed in previous analysis of this group[ii]. It is believed that in the case of camilleoconnell[.]website, the identified IP address (58.158.177[.]102 – UCOM ARTERIA Networks Corporation, JP) is not associated with the activities of AridViper.
