Updated 23 Nov 1355 MST: Added some additional observations related to logon spoofing infrastructure.

Domain “hunting” is a process of identifying new (or at least, newly identified) network infrastructure associated with threat actors of interest. Such a process does not start in a void, but rather requires understanding tendencies and patterns associated with adversary infrastructure creation and management. This is especially effective when viewing individual network observables – or indicators – as natural composite objects, items that accrue multiple sub-observations relating to the given object’s creation, use, and potentially even intention.

One historical example of such activity is ThreatConnect’s analysis of (then) long-running infrastructure tendencies linked to APT28, also known as FancyBear, but associated with Russian Military Intelligence (GRU) 85th Main Special Service Center (GTsSS). ThreatConnect’s reporting publicized patterns used by intelligence professionals for several years prior, using a combination of x509 certificate information, domain registration tendencies, and domain hosting patterns to identify new APT28 infrastructure with high confidence as it was created. Unfortunately, the adversary largely migrated away from these patterns shortly after the blog’s publication, but the overall idea remains a solid mechanism to systematize external threat hunting as well as implementing an intelligence-driven pivoting process.

There are multiple ways to approach domain hunting and tracking. One reasonable mechanism is to utilize internal visibility of newly-observed network objects or external feeds such as DomainTools to look for infrastructure objects fitting certain patterns based on domain sub-characteristics. Using this methodology, the following domain came to light on 22 November 2022:

msn-imap[.]com

Even at first glance, this appears suspicious given naming conventions, spoofing a combination of MSN and IMAP services. Further research, in this case using DomainTools Iris Investigate, shows further details that call this item out as likely malicious:

DomainTools Iris Screenshot
DomainTools Iris ScreenShot

We can spot several items that look suspicious here – anonymized registration, dedicated hosting (on IP address 92.38.135.213), suspicious authoritative name server use – but unfortunately there’s very little to pivot on to learn more about this item (or identify related infrastructure) using just domain information.

We can dig further by looking at the hosting address. In this case, using Censys Search we can profile this further:

Censys Search Screenshot
Censys Search Screenshot
Censys Search Screenshot

Now we’re starting to get more details on how this object might be used by an adversary, as well as other observables that can be used for searching, hunting, and follow-on pivoting. Among other items, we’ve learned the following:

  • The adversary’s infrastructure characteristics:
    • Ubuntu Linux
    • Postfix SMTP server
    • Apache HTTP/HTTPS server
    • Use of Let’s Encrypt SSL/TLS certificates
  • JA3S hashes for various TLS services
  • Additional potential indicators, such as the domain onkrdot[.]info associated with the SMTP server

One item that immediately stands out is the SMTP server. Given our original domain’s email theme, we can hypothesize that this server may be utilized for future phishing infrastructure or email relay activity. However, we also have HTTP/HTTPS servers that appear active – but in a strange way. As seen in the above screenshot, an HTTPS request returns a status code of 200 (success), but the page content (based on the HTML title) says “404 Not Found.” What is going on here?

To simplify our research, we can utilize another service – urlscan.io – to handle our interactions for us. And this serves up something strange:

Website Capture from URLScan

This may seem unhelpful, but we’ve identified an interesting mismatch. Examination of the server through application fingerprinting indicates we are interacting with an Apache webserver, while the server itself is displaying a custom webpage modeled off of (but not exactly mirroring) an Ngnix webserver 404 landing page. While not a sign of obvious maliciousness, this mismatch and customization provides an interesting foothold for further exploration. One easy follow-on item lies within urlscan itself, where we can look for instances of similar landing pages based on the content hash of the delivered page – 9b43f670273b6a12b2b6894a9e29157c1859717594e98ccc5fb3eea05e71f4ed. This reveals something VERY interesting:

URLScan Pivot Results

We seem to have stumbled upon something reasonably unique, and linked to a variety of additional infrastructure – many of which spoof a variety of legitimate services. Among the items covered in this, we can see:

  • Korean web portal Daum 
  • Korean web portal Naver
  • Google services
  • Various mail, cloud, and certificate themes

Infrastructure is overwhelmingly concentrated in Korean or East Asian hosting providers, and all items appear to be created between March and November 2022 (see Table 1 below for a list of all identified indicators).

Additionally, looking at pDNS records (in this case from VirusTotal) for the IP addresses from urlscan shows additional infrastructure of interest likely linked to this campaign:

VirusTotal pDNS Information

At this stage we’ve collected a lot of information about various infrastructure created (and potentially used) in 2022 with similar themes, characteristics, and other observables. Yet it is important not to lose overall context as to what we might be looking at – so some external enrichment and research is required to learn more.

With no actual threat to go off of (yet), we can start our search looking for entities that typically host phishing infrastructure (either for sending email, or as landing pages for links) in East Asia (and especially South Korea), that focus on spoofing legitimate services with an emphasis on South Korean major web portals. Based on multiple reports from various entities, one threat group stands out matching these characteristics: North Korean-related entity Kimsuky.

While we cannot be certain at this stage, based on an initial suspicious feeling around one suspect domain, we have uncovered an entire ecosystem of related infrastructure that may be related to an in-progress Kimsuky-associated campaign, likely with a focus on website spoofing and phishing. Defenders, especially those with reason to believe they may be targeted by this North Korean-linked threat actor, should take the indicators provided in Table 1 and search historical logs to see if they have interacted with any of these infrastructure items as an initial defensive measure. Going forward, threat intelligence researchers can incorporate the characteristics in infrastructure creation documented in this report and the various linked resources to build a new hunting-and-pivoting profile for infrastructure related to this entity. Overall, network indicator research and refinement can yield fantastic results if you know both where to look, and what to look for.

Table 1 – Indicators From Research

Source ItemHosting IPHosting ProviderName ServerRegistrarCreate Date
118.128.149[.]119118.128.149.119LG Dacom BoranetN/AN/AN/A
210.92.18[.]161210.92.18.161EHOSTICTN/AN/AN/A
210.92.18[.]164210.92.18.164EHOSTICTN/AN/AN/A
23.106.122[.]1623.106.122.16LeaseWeb Asia Pacific Pte. Ltd.N/AN/AN/A
61.82.110[.]4661.82.110.46Korea TelecomN/AN/AN/A
61.82.110[.]6061.82.110.60Korea TelecomN/AN/AN/A
accountskk.certuser[.]infoN/AN/Acloudns.netPDR Ltd. d/b/a PublicDomainRegistry.com2022-06-07
authuser[.]infoN/AN/Acloudns.netPDR Ltd. d/b/a PublicDomainRegistry.com2022-06-07
certuser[.]infoN/AN/Acloudns.netPDR Ltd. d/b/a PublicDomainRegistry.com2022-06-07
daum-policy[.]com92.38.160.140G-Core Labs S.A.cloudns.netPDR Ltd. d/b/a PublicDomainRegistry.com2022-09-25
daum-privacy[.]com92.38.160.134G-Core Labs S.A.cloudns.netPDR Ltd. d/b/a PublicDomainRegistry.com2022-09-25
daum-security[.]com92.38.160.213G-Core Labs S.A.cloudns.netPDR Ltd. d/b/a PublicDomainRegistry.com2022-08-21
googlernails[.]comN/AN/Acloudns.netPDR Ltd. d/b/a PublicDomainRegistry.com2022-03-03
googlmeil[.]com209.99.40.222Confluence Networks Inccloudns.netPDR Ltd. d/b/a PublicDomainRegistry.com2022-05-31
goooglesecurity[.]com27.102.66.162Daou Technologycloudns.netPDR Ltd. d/b/a PublicDomainRegistry.com2022-03-01
guser[.]eu23.106.122.16LeaseWeb Asia Pacific Pte. Ltd.cloudns.netPDR Ltd.2022-09-12
kakaocop[.]com74.119.239.234PDRcloudns.netPDR Ltd. d/b/a PublicDomainRegistry.com2022-10-12
komale[.]eu210.92.18.164Sudokwonseobubonbucloudns.netPDR Ltd.2022-10-20
koreailmin[.]com74.119.239.234PDRcloudns.netPDR Ltd. d/b/a PublicDomainRegistry.com2022-09-02
main.in[.]netN/AN/AN/APDR Ltd. d/b/a PublicDomainRegistry.com2021-04-02
msn-imap[.]com92.38.135.213G-Core Labs S.A.openprovider.nlGANDI SAS2022-11-20
navemail[.]space210.92.18.180Sudokwonseobubonbucloudns.netPDR Ltd. d/b/a PublicDomainRegistry.com2022-09-12
navercorp[.]center209.99.40.222Confluence Networks Inccloudns.netPDR Ltd. d/b/a PublicDomainRegistry.com2021-08-31
navernail[.]euN/AN/Acloudns.netPDR Ltd.2022-07-13
oncloudvip[.]info92.38.135.166G-Core Labs S.A.cloudns.netPDR Ltd. d/b/a PublicDomainRegistry.com2022-08-22
onkrdot[.]infoN/AN/AN/APDR Ltd. d/b/a PublicDomainRegistry.com2022-10-02
servicemember[.]infoN/AN/Acloudns.netPDR Ltd. d/b/a PublicDomainRegistry.com2022-07-21
serviceprotect[.]eu210.92.18.180Sudokwonseobubonbucloudns.netPDR Ltd.2022-07-18
usersec[.]infoN/AN/Acloudns.netPDR Ltd. d/b/a PublicDomainRegistry.com2022-06-09
Table 1 – Indicators Related To Identified Activity

Additional Research

One thing that bothers me about the above are the “N/A” items for hosting – so, I decided to do some pDNS lookups in DomainTools to find out if there were subdomains hosted with these items. I was not disappointed:

SubdomainHostingFirst ObservedLast Observed
loginslive.certuser[.]info185.105.35[.]1114 Nov 202214 Nov 2022
accountsmt.certuser[.]info185.105.35[.]1114 Nov 202214 Nov 2022
loginsmcmf.certuser[.]info185.105.35[.]1114 Nov 202214 Nov 2022
loginsioup.certuser[.]info185.105.35[.]1114 Nov 202214 Nov 2022
t1dm.certuser[.]info185.105.35[.]1114 Nov 202214 Nov 2022
mysql06.certuser[.]info210.92.18[.]16124 Oct 202214 Nov 2022
accountsms.certuser[.]info210.92.18[.]16120 Sep 202203 Nov 2022
loginslive.certuser[.]info210.92.18[.]16131 Aug 202214 Nov 2022
account.authuser[.]info118.39.76[.]10920 Jun 202221 Jun 2022
loginslive.certuser[.]info185.105.35[.]1114 Nov 202214 Nov 2022
accountsmt.certuser[.]info185.105.35[.]1114 Nov 202214 Nov 2022
accountsms.certuser[.]info185.105.35[.]1114 Nov 202214 Nov 2022
mysql06.certuser[.]info210.92.18[.]16124 Oct 202214 Nov 2022
staticnidlog.navernail[.]eu210.92.18[.]16124 Oct 202213 Nov 2022
remote.navernail[.]eu210.92.18[.]16120 Sep 202213 Nov 2022
vpn.navernail[.]eu210.92.18[.]16114 Sep 202214 Sep 2022
accountsig.servicemember[.]info210.92.18[.]16121 Sep 202221 Sep 2022
loginsig.servicemember[.]info210.92.18[.]16121 Sep 202221 Sep 2022
Table 2 – pDNS Responses Revealing Subdomains

But wait – there’s more! We also have a few IP addresses from our original “haul” that didn’t appear related to any other infrastructure at first pass. Additional pDNS searching looking for responses yields more domains and subdomains:

IPDomainFirst SeenLast Seen
210.92.18[.]164contentnts.slogin[.]eu14 Nov 202214 Nov 2022
210.92.18[.]164accounts.oksite[.]eu05 Nov 202205 Nov 2022
210.92.18[.]164cmember[.]eu01 Nov 202201 Nov 2022
210.92.18[.]164accountslog.puser[.]eu30 Oct 202230 Oct 2022
210.92.18[.]164accounts.slogin[.]edu28 Oct 202209 Nov 2022
210.92.18[.]164natescorp[.]com28 Oct 202209 Nov 2022
210.92.18[.]164accounts.auser[.]eu06 Oct 202207 Oct 2022
210.92.18[.]164account.koreailmin[.]com12 Sep 202212 Sep 2022
210.92.18[.]164mailuser[.]info06 Sep 202206 Sep 2022
23.106.122[.]16accounts.guser[.]eu27 Oct 202228 Oct 2022
23.106.122[.]16accounts.goooglesecurity[.]com16 Aug 202209 Oct 2022
23.106.122[.]16mobile.navernnail[.]com23 Jun 202223 Jun 2022
61.82.110[.]60nidm.navernnail[.]com03 May 202203 May 2022
61.82.110[.]60nidlogin.navernnail[.]com25 Apr 202202 May 2022
Table 3 – pDNS Responses By IP Address

We can keep going back and forth between domains and IP addresses as long as we’d like, collecting indicators like so many Pokémon. But more usefully, we continued to refine our understanding of adversary infrastructure creation tendencies. Additionally, with the important caveat that pDNS data is not complete, we established rough timelines of when different infrastructure items appear to be “active” – allowing us to guide defenders as to when activity was most likely to have occurred.

Unfortunately, it appears most of the infrastructure identified is no longer “live.” But there’s more that we can do looking at other resources. For example, we can attempt to find mappings to file objects through resources such as VirusTotal. Similar to urlscan, we can search for the hash of the displayed, fake “404” page, which identifies additional items:

VirusTotal Result For Fake Ngnix 404 Page

More interestingly, we can contingently verify that these campaigns are tied to credential theft via website spoofing by looking at the full submitted URL for one of the domains in question:

URL Submitted To VirusTotal

While we can’t completely confirm with available information, it does appear that there is a “passthrough” on the link that on submission will redirect the user (or input) to the legitimate Gmail site.

Ideally, we would find a file – an email, a payload, or some other object – that would allow us to link the infrastructure to follow-on capabilities. In this case, a cursory research effort fails to identify any such objects, limiting our ability to take this further. But, if this actor – likely Kimsuky – is of interest to you, the following provides an interesting overview of how this actor appears to utilize infrastructure to facilitate credential capture for services such as Google, Naver, Daum, and others.