SMTP Strangeness - Possible C2

Published: 2018-06-15. Last Updated: 2018-06-15 05:56:22 UTC
by Lorna Hutcheson (Version: 1)
5 comment(s)

We received an email today that provided some interesting information from a reader (Bjorn) about some observed SMTP traffic that was unusal.  From the appearance it could be related to exfil or C2.  The domain in question is donotspamtoday.com whose IP is 185.14.30.147 and there is an DNS TXT entry for SPF.  The domain was registered March 20, 2018.  I have been unable to find any additional examples or information of similar traffic.

Bjorn provided a good analysis of what was observed and I'd like to pass it along to see if anyone is seeing or has seen traffic similar to this. Here is what he sent to us:  

multiple compromised mail accounts being abused for some kind of covert channel communication. These are the common denominators in the mail communication:

* Mail is submitted to the domain donotspamtoday.com, with a lowercase first name and single digit as local part of the address (kevin1@, joan4@, willy3@ etc)

* When sending mail, the client identifies with a HELO name of 10 random lowercase characters (helo=<ckvcjsgffo>, helo=<uhtcpnyawr>, helo=<mjjrdvztxq> etc)

* The mail's Subject is always three (3) garbled/hashed words, followed by MID: and 32 hex characters. Some examples:

Subject: tjx gxtew kfzmmi MID:b5d479449a955af149e251860092b089
Subject: yjlp tahfhg bhj MID:2067087fb3e302fbd357bc7ccfe2b495
Subject: oezdvlh nbqhhd smbhmh MID:88664d1750835a08d2594ab3fba92751
Subject: kiyeax ggsqfeb aucilpi MID:ac6b795067515742c5f8e025c2c3dff0
Subject: tqorgfj crngne jwkbljt MID:b86c50466b75f5b2a088365f60c87bdc
Subject: jhwz nchfa ujk MID:0178f3e6a51e6e4ad44baa0e54ba42cb
Subject: obem jzmep nju MID:1f22a1aa5038b0921874567d0f4a3012
Subject: zqfn gkdepn vjyuu MID:1696a6720ad44f8c38084eb923127f5e
Subject: ghod ttfq dqge MID:af8cad81ecaf028ad8019280d03f6a2b

* Each mail body contains exactly one line of eight hashed words. The words in the mail body are different from the words in the subject. Some examples (one line from each mail):

zjmviov rdktiw ovzdebu ysm htp kzhfsk escngpg oqcru
nklnhk lidwen qeujgbe lcrz krf xufkyb xqpjqbg nto
gcbvqzq dca wlfig prgrkg hmbzjn yxl uov lxwak
cxkw jnv vezxdkz sfvib rqnyze fqkfwgs memck cwm

* Most clients sending the mails connect from Brazil, but some connect from Iran, Turkey and others. The IPs observed exposing this behaviour are registered with Open Threat Exchange, https://otx.alienvault.com/pulse/5b2215e2eeaaee019b4e017b

 

If anyone has any additional information or is seeing this traffic, please let us know.  
 

Lorna Hutcheson
ISC Handler

Keywords: C2 exfil exfiltration SMTP
5 comment(s)

Comments

Domain Name: DONOTSPAMTODAY.COM
Registry Domain ID: 2241200130_DOMAIN_COM-VRSN
Registrar WHOIS Server: whois.eranet.com
Registrar URL: http://www.eranet.com
Updated Date: 2018-03-20T15:17:15Z
Creation Date: 2018-03-20T15:16:02Z
Registry Expiry Date: 2019-03-20T15:16:02Z
Registrar: Eranet International Limited
Registrar IANA ID: 1868
Registrar Abuse Contact Email: cs@now.cn
Registrar Abuse Contact Phone: +867563810566
Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited
Name Server: NS1.DONOTSPAMTODAY.COM
Name Server: NS2.DONOTSPAMTODAY.COM
DNSSEC: unsigned
Domain name: donotspamtoday.com
Update Date: 2018-03-19T16:00:00Z
Registrar Registration Expiration Date: 2019-03-19T16:00:00Z
Registrar: ERANET INTERNATIONAL LIMITED
Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited
Registrant Country: CN
Registrant Email: [REDACTED]@hotmail.com
Admin Organization: n.a.
Admin City: Xiamen
Admin Province/state: FJ
Admin Postal Code: 361326
Admin Country: CN
Admin Email: [REDACTED]@hotmail.com
Tech Organization: n.a.
Tech City: Xiamen
Tech Province/state: FJ
Tech Postal Code: 361326
Tech Country: CN
Tech Email: [REDACTED]@hotmail.com
Name Server: ns1.donotspamtoday.com
Name Server: ns2.donotspamtoday.com
Billing Organization: n.a.
Billing City: Xiamen
Billing Province/state: FJ
Billing Postal Code: 361326
Billing Country: CN
Billing Email: [REDACTED]@hotmail.com



['mail.donotspamtoday.com']
data.13.port 110
data.13.timestamp 2018-05-22T11:25:10.256820
data.13.transport tcp
data.2._shodan.crawler e9392a930ba74a5a7a9a04c307d8f2d045dad4b4
data.2._shodan.id null
data.2._shodan.module imap-ssl
data.2.data * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready. * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN A001 OK Pre-login capabilities listed, post-login capabilities have more. * ID NIL A002 OK ID completed. A003 BAD Error in IMAP command received by server.
data.2.domains ['donotspamtoday.com']
data.2.hash 1857819577
data.2.hostnames ['mail.donotspamtoday.com']
data.2.opts.heartbleed 2018/06/10 10:08:51 185.14.30.147:993 - SAFE
data.2.opts.vulns null
data.2.port 993

its definirely a slippery character==


person: UA Servers
address: 26 Kosmicheskaya str.
address: 61145 Kharkov, Ukraine
phone: +380577298800
nic-hdl: UASR-RIPE
mnt-by: MNT-UASRV
created: 2012-08-14T09:06:06Z
last-modified: 2012-08-14T09:27:57Z
source: RIPE

% Information related to '185.14.28.0/22AS21100'

route: 185.14.28.0/22
descr: GREENFLOID-NL
origin: AS21100
mnt-by: ITL-MNT
created: 2017-05-15T08:57:42Z
last-modified: 2017-05-15T08:57:42Z
source: RIPE

% Information related to '185.14.28.0/22AS50673'

route: 185.14.28.0/22
descr: Camper Solutions Route Object
origin: AS50673
mnt-by: SERVERIUS-MNT
created: 2014-02-06T09:18:34Z
last-modified: 2014-02-06T09:18:34Z
source: RIPE
---------------------------
<html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head>
<title>mail.donotspamtoday.com — Coming Soon</title>
<meta http-equiv="Content-Type" content="text/html; charset=UTF-8">
<meta name="description" content="This is a default index page for a new domain.">
<style type="text/css">
body {font-size:10px; color:#777777; font-family:arial; text-align:center;}
h1 {font-size:64px; color:#555555; margin: 70px 0 50px 0;}
p {width:320px; text-align:center; margin-left:auto;margin-right:auto; margin-top: 30px }
div {width:320px; text-align:center; margin-left:auto;margin-right:auto;}
a:link {color: #34536A;}
a:visited {color: #34536A;}
a:active {color: #34536A;}
a:hover {color: #34536A;}
</style>
</head>

<body>
<h1>mail.donotspamtoday.com</h1>
<div>
<a href="http://vestacp.com/">Powered by VESTA</a>
</div>
ok im sure that enough

Anonymous

Jun 15th 2018
7 years ago

Sounds very similar to this post:

http://lists.communigate.com/Lists/CGatePro/Message/106518.html

Different domain being used but same format etc

Anonymous

Jun 15th 2018
7 years ago

Thanks! Good find and definitely matches the pattern.

Anonymous

Jun 15th 2018
7 years ago

Good information and definitely a domain to watch!

Anonymous

Jun 15th 2018
7 years ago

Initial submitter here. Briefly checking whether the submitting IPs were listening on port 80, 15 out of 50 responded. 14 were running Ubiquiti's AirOS. One was an IntelBras WOM 5000. This could indicate some kind of IoT worm, targeting network equipment.

Anonymous

Jun 19th 2018
7 years ago

Login here to join the discussion.


Top of page
Diary Archives