We received an email today that provided some interesting information from a reader (Bjorn) about some observed SMTP traffic that was unusal. From the appearance it could be related to exfil or C2. The domain in question is donotspamtoday.com whose IP is 185.14.30.147 and there is an DNS TXT entry for SPF. The domain was registered March 20, 2018. I have been unable to find any additional examples or information of similar traffic. Bjorn provided a good analysis of what was observed and I'd like to pass it along to see if anyone is seeing or has seen traffic similar to this. Here is what he sent to us: multiple compromised mail accounts being abused for some kind of covert channel communication. These are the common denominators in the mail communication:
If anyone has any additional information or is seeing this traffic, please let us know. Lorna Hutcheson |
Lorna 165 Posts ISC Handler Jun 15th 2018 |
Thread locked Subscribe |
Jun 15th 2018 3 years ago |
Domain Name: DONOTSPAMTODAY.COM
Registry Domain ID: 2241200130_DOMAIN_COM-VRSN Registrar WHOIS Server: whois.eranet.com Registrar URL: http://www.eranet.com Updated Date: 2018-03-20T15:17:15Z Creation Date: 2018-03-20T15:16:02Z Registry Expiry Date: 2019-03-20T15:16:02Z Registrar: Eranet International Limited Registrar IANA ID: 1868 Registrar Abuse Contact Email: cs@now.cn Registrar Abuse Contact Phone: +867563810566 Domain Status: clientTransferProhibited https://icann.org/epp#clientTransferProhibited Name Server: NS1.DONOTSPAMTODAY.COM Name Server: NS2.DONOTSPAMTODAY.COM DNSSEC: unsigned Domain name: donotspamtoday.com Update Date: 2018-03-19T16:00:00Z Registrar Registration Expiration Date: 2019-03-19T16:00:00Z Registrar: ERANET INTERNATIONAL LIMITED Domain Status: clientTransferProhibited http://www.icann.org/epp#clientTransferProhibited Registrant Country: CN Registrant Email: [REDACTED]@hotmail.com Admin Organization: n.a. Admin City: Xiamen Admin Province/state: FJ Admin Postal Code: 361326 Admin Country: CN Admin Email: [REDACTED]@hotmail.com Tech Organization: n.a. Tech City: Xiamen Tech Province/state: FJ Tech Postal Code: 361326 Tech Country: CN Tech Email: [REDACTED]@hotmail.com Name Server: ns1.donotspamtoday.com Name Server: ns2.donotspamtoday.com Billing Organization: n.a. Billing City: Xiamen Billing Province/state: FJ Billing Postal Code: 361326 Billing Country: CN Billing Email: [REDACTED]@hotmail.com ['mail.donotspamtoday.com'] data.13.port 110 data.13.timestamp 2018-05-22T11:25:10.256820 data.13.transport tcp data.2._shodan.crawler e9392a930ba74a5a7a9a04c307d8f2d045dad4b4 data.2._shodan.id null data.2._shodan.module imap-ssl data.2.data * OK [CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN] Dovecot ready. * CAPABILITY IMAP4rev1 LITERAL+ SASL-IR LOGIN-REFERRALS ID ENABLE IDLE AUTH=PLAIN AUTH=LOGIN A001 OK Pre-login capabilities listed, post-login capabilities have more. * ID NIL A002 OK ID completed. A003 BAD Error in IMAP command received by server. data.2.domains ['donotspamtoday.com'] data.2.hash 1857819577 data.2.hostnames ['mail.donotspamtoday.com'] data.2.opts.heartbleed 2018/06/10 10:08:51 185.14.30.147:993 - SAFE data.2.opts.vulns null data.2.port 993 its definirely a slippery character== person: UA Servers address: 26 Kosmicheskaya str. address: 61145 Kharkov, Ukraine phone: +380577298800 nic-hdl: UASR-RIPE mnt-by: MNT-UASRV created: 2012-08-14T09:06:06Z last-modified: 2012-08-14T09:27:57Z source: RIPE % Information related to '185.14.28.0/22AS21100' route: 185.14.28.0/22 descr: GREENFLOID-NL origin: AS21100 mnt-by: ITL-MNT created: 2017-05-15T08:57:42Z last-modified: 2017-05-15T08:57:42Z source: RIPE % Information related to '185.14.28.0/22AS50673' route: 185.14.28.0/22 descr: Camper Solutions Route Object origin: AS50673 mnt-by: SERVERIUS-MNT created: 2014-02-06T09:18:34Z last-modified: 2014-02-06T09:18:34Z source: RIPE --------------------------- <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"><head> <title>mail.donotspamtoday.com — Coming Soon</title> <meta http-equiv="Content-Type" content="text/html; charset=UTF-8"> <meta name="description" content="This is a default index page for a new domain."> <style type="text/css"> body {font-size:10px; color:#777777; font-family:arial; text-align:center;} h1 {font-size:64px; color:#555555; margin: 70px 0 50px 0;} p {width:320px; text-align:center; margin-left:auto;margin-right:auto; margin-top: 30px } div {width:320px; text-align:center; margin-left:auto;margin-right:auto;} a:link {color: #34536A;} a:visited {color: #34536A;} a:active {color: #34536A;} a:hover {color: #34536A;} </style> </head> <body> <h1>mail.donotspamtoday.com</h1> <div> <a href="http://vestacp.com/">Powered by VESTA</a> </div> ok im sure that enough |
mokomoko1 1 Posts |
Quote |
Jun 15th 2018 3 years ago |
Sounds very similar to this post:
http://lists.communigate.com/Lists/CGatePro/Message/106518.html Different domain being used but same format etc |
Tom 1 Posts |
Quote |
Jun 15th 2018 3 years ago |
Thanks! Good find and definitely matches the pattern.
|
Lorna 165 Posts ISC Handler |
Quote |
Jun 15th 2018 3 years ago |
Good information and definitely a domain to watch!
|
Lorna 165 Posts ISC Handler |
Quote |
Jun 15th 2018 3 years ago |
Initial submitter here. Briefly checking whether the submitting IPs were listening on port 80, 15 out of 50 responded. 14 were running Ubiquiti's AirOS. One was an IntelBras WOM 5000. This could indicate some kind of IoT worm, targeting network equipment.
|
Bjorn 9 Posts |
Quote |
Jun 19th 2018 3 years ago |
Sign Up for Free or Log In to start participating in the conversation!