SMTP Strangeness - Possible C2 - SANS Internet Storm Center

SMTP Strangeness - Possible C2
We received an email today that provided some interesting information from a reader (Bjorn) about some observed SMTP traffic that was unusal. From the appearance it could be related to exfil or C2. The domain in question is donotspamtoday.com whose IP is 185.14.30.147 and there is an DNS TXT entry for SPF. The domain was registered March 20, 2018. I have been unable to find any additional examples or information of similar traffic. Bjorn provided a good analysis of what was observed and I'd like to pass it along to see if anyone is seeing or has seen traffic similar to this. Here is what he sent to us: multiple compromised mail accounts being abused for some kind of covert channel communication. These are the common denominators in the mail communication: * Mail is submitted to the domain donotspamtoday.com, with a lowercase first name and single digit as local part of the address (kevin1@, joan4@, willy3@ etc) * When sending mail, the client identifies with a HELO name of 10 random lowercase characters (helo=<ckvcjsgffo>, helo=<uhtcpnyawr>, helo=<mjjrdvztxq> etc) * The mail's Subject is always three (3) garbled/hashed words, followed by MID: and 32 hex characters. Some examples: Subject: tjx gxtew kfzmmi MID:b5d479449a955af149e251860092b089 Subject: yjlp tahfhg bhj MID:2067087fb3e302fbd357bc7ccfe2b495 Subject: oezdvlh nbqhhd smbhmh MID:88664d1750835a08d2594ab3fba92751 Subject: kiyeax ggsqfeb aucilpi MID:ac6b795067515742c5f8e025c2c3dff0 Subject: tqorgfj crngne jwkbljt MID:b86c50466b75f5b2a088365f60c87bdc Subject: jhwz nchfa ujk MID:0178f3e6a51e6e4ad44baa0e54ba42cb Subject: obem jzmep nju MID:1f22a1aa5038b0921874567d0f4a3012 Subject: zqfn gkdepn vjyuu MID:1696a6720ad44f8c38084eb923127f5e Subject: ghod ttfq dqge MID:af8cad81ecaf028ad8019280d03f6a2b * Each mail body contains exactly one line of eight hashed words. The words in the mail body are different from the words in the subject. Some examples (one line from each mail): zjmviov rdktiw ovzdebu ysm htp kzhfsk escngpg oqcru nklnhk lidwen qeujgbe lcrz krf xufkyb xqpjqbg nto gcbvqzq dca wlfig prgrkg hmbzjn yxl uov lxwak cxkw jnv vezxdkz sfvib rqnyze fqkfwgs memck cwm * Most clients sending the mails connect from Brazil, but some connect from Iran, Turkey and others. The IPs observed exposing this behaviour are registered with Open Threat Exchange, https://otx.alienvault.com/pulse/5b2215e2eeaaee019b4e017b If anyone has any additional information or is seeing this traffic, please let us know. Lorna Hutcheson ISC Handler	Lorna 165 Posts ISC Handler
Reply Subscribe	Jun 15th 2018 7 months ago
Domain Name: DONOTSPAMTODAY.COM Registry Domain ID: 2241200130_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.eranet.com Registrar URL: http://www.eranet.com Updated Date: 2018-03-20T15:17:15Z Creation Date: 2018-03-20T15:16:02Z Registry Expiry Date: 2019-03-20T15:16:02Z Registrar: Eranet International Limited Registrar IANA ID: 1868 Registrar Abuse Contact Email: cs@now.cn Registrar Abuse Contact Phone: +867563810566 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Name Server: NS1.DONOTSPAMTODAY.COM Name Server: NS2.DONOTSPAMTODAY.COM DNSSEC: unsigned Domain name: donotspamtoday.com Update Date: 2018-03-19T16:00:00Z Registrar Registration Expiration Date: 2019-03-19T16:00:00Z Registrar: ERANET INTERNATIONAL LIMITED Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited Registrant Country: CN Registrant Email: [REDACTED]@hotmail.com Admin Organization: n.a. Admin City: Xiamen Admin Province/state: FJ Admin Postal Code: 361326 Admin Country: CN Admin Email: [REDACTED]@hotmail.com Tech Organization: n.a. Tech City: Xiamen Tech Province/state: FJ Tech Postal Code: 361326 Tech Country: CN Tech Email: [REDACTED]@hotmail.com Name Server: ns1.donotspamtoday.com Name Server: ns2.donotspamtoday.com Billing Organization: n.a. Billing City: Xiamen Billing Province/state: FJ Billing Postal Code: 361326 Billing Country: CN Billing Email: [REDACTED]@hotmail.com ['mail.donotspamtoday.com'] data.13.port 110 data.13.timestamp 2018-05-22T11:25:10.256820 data.13.transport tcp data.2._shodan.crawler e9392a930ba74a5a7a9a04c307d8f2d045dad4b4 data.2._shodan.id null data.2._shodan.module imap-ssl data.2.data * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready. * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN A001 OK Pre-login capabilities listed, post-login capabilities have more. * ID NIL A002 OK ID completed. A003 BAD Error in IMAP command received by server. data.2.domains ['donotspamtoday.com'] data.2.hash 1857819577 data.2.hostnames ['mail.donotspamtoday.com'] data.2.opts.heartbleed 2018/06/10 10:08:51 185.14.30.147:993 - SAFE data.2.opts.vulns null data.2.port 993 its definirely a slippery character== person: UA Servers address: 26 Kosmicheskaya str. address: 61145 Kharkov, Ukraine phone: +380577298800 nic-hdl: UASR-RIPE mnt-by: MNT-UASRV created: 2012-08-14T09:06:06Z last-modified: 2012-08-14T09:27:57Z source: RIPE % Information related to '185.14.28.0/22AS21100' route: 185.14.28.0/22 descr: GREENFLOID-NL origin: AS21100 mnt-by: ITL-MNT created: 2017-05-15T08:57:42Z last-modified: 2017-05-15T08:57:42Z source: RIPE % Information related to '185.14.28.0/22AS50673' route: 185.14.28.0/22 descr: Camper Solutions Route Object origin: AS50673 mnt-by: SERVERIUS-MNT created: 2014-02-06T09:18:34Z last-modified: 2014-02-06T09:18:34Z source: RIPE --------------------------- <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>mail.donotspamtoday.com — Coming Soon</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta name="description" content="This is a default index page for a new domain."> <style type="text/css"> body {font-size:10px; color:#777777; font-family:arial; text-align:center;} h1 {font-size:64px; color:#555555; margin: 70px 0 50px 0;} p {width:320px; text-align:center; margin-left:auto;margin-right:auto; margin-top: 30px } div {width:320px; text-align:center; margin-left:auto;margin-right:auto;} a:link {color: #34536A;} a:visited {color: #34536A;} a:active {color: #34536A;} a:hover {color: #34536A;} </style> </head> <body> <h1>mail.donotspamtoday.com</h1> <div> <a href="http://vestacp.com/">Powered by VESTA</a> </div> ok im sure that enough	mokomoko1 1 Posts
Reply Quote	Jun 15th 2018 7 months ago
Sounds very similar to this post: http://lists.communigate.com/Lists/CGatePro/Message/106518.html Different domain being used but same format etc	Tom 1 Posts
Reply Quote	Jun 15th 2018 7 months ago
Thanks! Good find and definitely matches the pattern.	Lorna 165 Posts ISC Handler
Reply Quote	Jun 15th 2018 7 months ago
Good information and definitely a domain to watch!	Lorna 165 Posts ISC Handler
Reply Quote	Jun 15th 2018 7 months ago
Initial submitter here. Briefly checking whether the submitting IPs were listening on port 80, 15 out of 50 responded. 14 were running Ubiquiti's AirOS. One was an IntelBras WOM 5000. This could indicate some kind of IoT worm, targeting network equipment.	Bjorn 9 Posts
Reply Quote	Jun 19th 2018 7 months ago

We received an email today that provided some interesting information from a reader (Bjorn) about some observed SMTP traffic that was unusal. From the appearance it could be related to exfil or C2. The domain in question is donotspamtoday.com whose IP is 185.14.30.147 and there is an DNS TXT entry for SPF. The domain was registered March 20, 2018. I have been unable to find any additional examples or information of similar traffic.

Bjorn provided a good analysis of what was observed and I'd like to pass it along to see if anyone is seeing or has seen traffic similar to this. Here is what he sent to us:

multiple compromised mail accounts being abused for some kind of covert channel communication. These are the common denominators in the mail communication:

* Mail is submitted to the domain donotspamtoday.com, with a lowercase first name and single digit as local part of the address (kevin1@, joan4@, willy3@ etc)

* When sending mail, the client identifies with a HELO name of 10 random lowercase characters (helo=<ckvcjsgffo>, helo=<uhtcpnyawr>, helo=<mjjrdvztxq> etc)

* The mail's Subject is always three (3) garbled/hashed words, followed by MID: and 32 hex characters. Some examples:

Subject: tjx gxtew kfzmmi MID:b5d479449a955af149e251860092b089
Subject: yjlp tahfhg bhj MID:2067087fb3e302fbd357bc7ccfe2b495
Subject: oezdvlh nbqhhd smbhmh MID:88664d1750835a08d2594ab3fba92751
Subject: kiyeax ggsqfeb aucilpi MID:ac6b795067515742c5f8e025c2c3dff0
Subject: tqorgfj crngne jwkbljt MID:b86c50466b75f5b2a088365f60c87bdc
Subject: jhwz nchfa ujk MID:0178f3e6a51e6e4ad44baa0e54ba42cb
Subject: obem jzmep nju MID:1f22a1aa5038b0921874567d0f4a3012
Subject: zqfn gkdepn vjyuu MID:1696a6720ad44f8c38084eb923127f5e
Subject: ghod ttfq dqge MID:af8cad81ecaf028ad8019280d03f6a2b

* Each mail body contains exactly one line of eight hashed words. The words in the mail body are different from the words in the subject. Some examples (one line from each mail):

zjmviov rdktiw ovzdebu ysm htp kzhfsk escngpg oqcru
nklnhk lidwen qeujgbe lcrz krf xufkyb xqpjqbg nto
gcbvqzq dca wlfig prgrkg hmbzjn yxl uov lxwak
cxkw jnv vezxdkz sfvib rqnyze fqkfwgs memck cwm

* Most clients sending the mails connect from Brazil, but some connect from Iran, Turkey and others. The IPs observed exposing this behaviour are registered with Open Threat Exchange, https://otx.alienvault.com/pulse/5b2215e2eeaaee019b4e017b

If anyone has any additional information or is seeing this traffic, please let us know.

Lorna Hutcheson
ISC Handler

Lorna

165 Posts
ISC Handler

Domain Name: DONOTSPAMTODAY.COM
Registry Domain ID: 2241200130_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.eranet.com
Registrar URL: http://www.eranet.com
Updated Date: 2018-03-20T15:17:15Z
Creation Date: 2018-03-20T15:16:02Z
Registry Expiry Date: 2019-03-20T15:16:02Z
Registrar: Eranet International Limited
Registrar IANA ID: 1868
Registrar Abuse Contact Email: cs@now.cn
Registrar Abuse Contact Phone: +867563810566
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Name Server: NS1.DONOTSPAMTODAY.COM
Name Server: NS2.DONOTSPAMTODAY.COM
DNSSEC: unsigned
Domain name: donotspamtoday.com
Update Date: 2018-03-19T16:00:00Z
Registrar Registration Expiration Date: 2019-03-19T16:00:00Z
Registrar: ERANET INTERNATIONAL LIMITED
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Registrant Country: CN
Registrant Email: [REDACTED]@hotmail.com
Admin Organization: n.a.
Admin City: Xiamen
Admin Province/state: FJ
Admin Postal Code: 361326
Admin Country: CN
Admin Email: [REDACTED]@hotmail.com
Tech Organization: n.a.
Tech City: Xiamen
Tech Province/state: FJ
Tech Postal Code: 361326
Tech Country: CN
Tech Email: [REDACTED]@hotmail.com
Name Server: ns1.donotspamtoday.com
Name Server: ns2.donotspamtoday.com
Billing Organization: n.a.
Billing City: Xiamen
Billing Province/state: FJ
Billing Postal Code: 361326
Billing Country: CN
Billing Email: [REDACTED]@hotmail.com

['mail.donotspamtoday.com']
data.13.port 110
data.13.timestamp 2018-05-22T11:25:10.256820
data.13.transport tcp
data.2._shodan.crawler e9392a930ba74a5a7a9a04c307d8f2d045dad4b4
data.2._shodan.id null
data.2._shodan.module imap-ssl
data.2.data * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready. * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN A001 OK Pre-login capabilities listed, post-login capabilities have more. * ID NIL A002 OK ID completed. A003 BAD Error in IMAP command received by server.
data.2.domains ['donotspamtoday.com']
data.2.hash 1857819577
data.2.hostnames ['mail.donotspamtoday.com']
data.2.opts.heartbleed 2018/06/10 10:08:51 185.14.30.147:993 - SAFE
data.2.opts.vulns null
data.2.port 993

its definirely a slippery character==

person: UA Servers
address: 26 Kosmicheskaya str.
address: 61145 Kharkov, Ukraine
phone: +380577298800
nic-hdl: UASR-RIPE
mnt-by: MNT-UASRV
created: 2012-08-14T09:06:06Z
last-modified: 2012-08-14T09:27:57Z
source: RIPE

% Information related to '185.14.28.0/22AS21100'

route: 185.14.28.0/22
descr: GREENFLOID-NL
origin: AS21100
mnt-by: ITL-MNT
created: 2017-05-15T08:57:42Z
last-modified: 2017-05-15T08:57:42Z
source: RIPE

% Information related to '185.14.28.0/22AS50673'

route: 185.14.28.0/22
descr: Camper Solutions Route Object
origin: AS50673
mnt-by: SERVERIUS-MNT
created: 2014-02-06T09:18:34Z
last-modified: 2014-02-06T09:18:34Z
source: RIPE
---------------------------
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>
<title>mail.donotspamtoday.com — Coming Soon</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="description" content="This is a default index page for a new domain.">
<style type="text/css">
body {font-size:10px; color:#777777; font-family:arial; text-align:center;}
h1 {font-size:64px; color:#555555; margin: 70px 0 50px 0;}
p {width:320px; text-align:center; margin-left:auto;margin-right:auto; margin-top: 30px }
div {width:320px; text-align:center; margin-left:auto;margin-right:auto;}
a:link {color: #34536A;}
a:visited {color: #34536A;}
a:active {color: #34536A;}
a:hover {color: #34536A;}
</style>
</head>

<body>
<h1>mail.donotspamtoday.com</h1>
<div>
<a href="http://vestacp.com/">Powered by VESTA</a>
</div>
ok im sure that enough

mokomoko1

1 Posts

Sounds very similar to this post:

http://lists.communigate.com/Lists/CGatePro/Message/106518.html

Different domain being used but same format etc

Tom

1 Posts

Thanks! Good find and definitely matches the pattern.

Lorna

165 Posts
ISC Handler

Good information and definitely a domain to watch!

Lorna

165 Posts
ISC Handler

Initial submitter here. Briefly checking whether the submitting IPs were listening on port 80, 15 out of 50 responded. 14 were running Ubiquiti's AirOS. One was an IntelBras WOM 5000. This could indicate some kind of IoT worm, targeting network equipment.

Bjorn

9 Posts