Hunting a TLS certificate series — Post 1
I have spoken a few times over the past year at BSIDES Charm, Archc0n and the SANS CTI Summit about using TLS certificates to hunt/pivot for related network infrastructure. TL;DR you can use TLS certificates to track threat actors infrastructure and also find details about your own infrastructure you were unaware of.
I think I provide enough in those slide decks to help you get started with this method, but I have been thinking it might be good to blog some examples as well. So here goes the first in my series of walkthroughs on using TLS certificates to find additional infrastructure.
For this walkthrough we are going to be looking at the TLS certificate below flagged by the SSL Blacklist over at abuse.ch.
https://sslbl.abuse.ch/intel/2413e0ce45539f0acf61d0ccd876df978c4670c7
I wanted to start with this one because the blacklist says they found it passively and can not provide any other context so we have a clean slate to start with. The first thing I would do at this point is jump on over to https://censys.io and query their datastore to see if they have seen it.
You can see that censys.io currently has one IP address with that certificate. Thankfully, I have been pulling down all the sonar SSL scans from https://scans.io/study/sonar.ssl and can search my local Elasticsearch datastore to see if we have any additional IP addresses. I am using code from my github repo to help me facilitate pulling in this data. If you are unable to do this, you could look at using services like Passivetotal, Circ.lu, or Threatminer to help provide a searchable interface for ssl certificates.
As we can see we have eight IP addresses including the 91.223.89[.]22 address that censys.io is currently reporting. If you look at the certificate Subject and Issuer in the screenshot above these are very suspect to me because they only have a CN field and the value of that CN appears to be random letters. These findings already would lead me to add this for monitoring on my networks.
Now I could stop here but wouldn’t have much context to go on if I actually had an alert. Lets do some more digging and see if we can’t find any other relations. I enjoy looking at data like this in graph form to help show relationships, so let’s start with the TLS certificate and the eight IP addresses.
Now, we also kind of need a time frame to start with. The SSL blacklist flagged this on 2017–02–08 07:05:18 so we could start there but I think we can look at the not before date of the certificate which was 2016–09–25 and start there. This is the day this TLS certificate was created and can be used as a great starting point in lots of certificate hunting activities.
I went and did passive DNS lookups against all those IP addresses and pulled back the domains that were active either during the time frames we see the TLS certificate was seen on an IP. I also added any domains that were seen with in a few days of either the first seen or last seen because the sonar ssl scans are only once a week. Our graph now looks like this:
We now have eight domains, four of which are seen on multiple IPs. With hideprojectworld[.]com showing up on three of the IP addresses. By now I am really thinking all of this is related infrastructure but let’s keep digging a bit more. Let’s take a look at the Whois registrant information for these new domains and see if we find any additional linkages.
Now we see that hideprojectworld[.]com, goodamaracama[.]com and worldwidedeliver7[.]com all have the same Whois registrant name of Alex Sirofim and registrant email of sir777alex[@]outlook.com. Using the new linkages between the Whois registrant, the IP addresses all having the same TLS certificate I would say that it is highly likely that all of these are related and are being used by the same threat actor. Now, I am not sure if they are all used for Chthonic malware or if this certificate is also used for something else. More data needs to be looked at to see if we can find additional linkages through malware samples as well.
With that I will leave any further analysis as an exercise for you! Happy TLS searching.
IOCS
Domains:
domain, domain status
ajaxgate[.]com, active domain
greestesting[.]com, active domain
goodamaracama[.]com, suspended domain
goodsleep[.]pw, active domain
homenext[.]at, suspended domain
wimel[.]at, suspended domain
hideprojectworld[.]com, suspended domain
worldwidedeliver7[.]com, suspended domain
IPs:
46.30.43[.]156
46.30.42[.]164
91.223.89[.]22
210.16.101[.109
162.244.78[.]182
192.3.148[.]24
199.188.103[.]183
155.254.34[.]245
TLS Certificate SHA1 fingerprint:
2413e0ce45539f0acf61d0ccd876df978c4670c7