Infrastructure Re-use: Shared Frameworks and Attack Vectors
<p>
The threat landscape is constantly evolving, but in some ways there are fewer changes, or even attempts to camouflage, than you might expect: Bad actors often host and launch their malicious campaigns from the same locations, making pockets of the Internet akin to a really bad neighborhood with gangs sharing headquarters. </p>
<h2>
Location, Location, Location</h2>
<p>
<img alt="" src="/sites/default/files/blog/legacy/1715.selection_014.png-550x0.png" style="height:202px; width:550px" /></p>
<p>
In fact, an astoundingly high concentration of threat vectors, despite using different delivery vehicles, share compromised infrastructure. A deep analysis of the cyber threatscape, using the Websense Threatseeker® Intelligence Cloud’s 5 billion daily global inputs as a data pool, reveals that bad actors share IP addresses and URLs to an extent that seems too concentrated to be effective, in terms of detection, and yet it is: Websense senior security researchers estimate that 99.32% of malware use an IP that at least one other malware sample also accesses. Also, 98.42% use an IP that at least five other malware samples access.</p>
<p>
For instance, Vawtrak droppers from September 2015 Bartallex->Fareit/Pony->Vawtrak campaigns were hosted on the same domain and directory path as the lure redirecting to a TorrentLocker installer used in June and July 2015.</p>
<p>
Vawtrak dropper locations:</p>
<ul>
<li>
hxxp://worldhealthsupply[.]com/system/logs/k1.exe</li>
<li>
hxxp://bloomgifts4u[.]com/system/logs/k1.exe</li>
<li>
hxxp://errors-seeds[.]cz/system/logs/k1.exe</li>
</ul>
<p>
TorrentLocker redirect URLs from email lures:</p>
<ul>
<li>
hxxp://bloomgifts4u[.]com/system/logs/VX5RqAPUrB9W42.php?id=<redacted@target1.tld></li>
<li>
hxxp://worldhealthsupply[.]com/system/logs/4uSBkgXxZ9AYcnPs.php?id=<redacted@target2.tld></li>
</ul>
<p>
;<img alt="" src="/sites/default/files/blog/legacy/2474.selection_015.png-550x0.png" style="height:383px; width:550px" /></p>
<p>
As you can see, different threats are hanging their hats in the same location. While this could mean that the same bad actors are broadening their attack vectors and utilizing the structured frameworks they have access to for their ventures, it is more indicative that bad actors share resources, as a result of ‘renting’ the compromised infrastructure from a provider (remember Malware-as-a-service). Managing a compromised location could be a niche space for some opportunistic cyber malefactors, who could leverage distribution channels to others within the same shady circle for profit. In the Eastern European cyber-crime world, it is not an uncommon practice for some bad actors to provide this location scouting, takeover, and management services to others with a more active and exploitive role. </p>
Primary contributors: Cristina Houle and Ran Mosessco