How Do I Find DPRK Infrastructure with Censys
Hello, this is morimolymoly.
In this article, I am going to introduce how to explore DPRK infrastructure.
This technique will be adopted to any malware infrastructures hunting.
I accidentally found out this IP address.
67.203.7[.]200
https://search.censys.io/hosts/67.203.7.200
This port 1244 is an indicator of InvisibleFerret of DPRK’s Contagious Interview campaign.
This is a good starting point!
I took a look at this deeper.
At first, I searched with ETag but nothing new found. (They are all listed on some intel source)
So, I changed the way and found an interesting string.
This string was used in all of found servers.
And also, I google this string but nothing valuable information was found.
I have searched by this string.
Almost of result is already listed on intel sources.
However, I found one unlisted server.
This server does not have Port 1244.
Censys: https://search.censys.io/hosts/185.231.205.75
I thought Port 80 is an endpoint of InvisibleFerret.
I downloaded pdown through pdown endpoint.
Gotcha! I got a fresh sample!
It is alive now!
(Bazaar label is StrelaStealer tho)
By VirusTotal reputation, it seems reused many times.
In conclusion, threat actors using Phishing use the same configuration for infrastructures.
We can hunt with JA4, JA3, ETag, Banner, suspicious string, Ports, etc…
I think the first finding of an infrastructure is the key point and most difficult thing.
However, there are many intel sources.
We can use this.
Happy hunting!
