7 min read

Case Study: PacketWatch and Validin

Case Study: PacketWatch and Validin

 

This case study shows how to investigate malicious traffic, a threat actor's infrastructure, IP addresses, and domain indicators of compromise.

validin-white-logo

Introduction

PacketWatch has integrated Validin’s threat intelligence into the PacketWatch WireSight console. This integration includes the Validin Threat Feed, which WireSight checks against every single session for signs of malicious traffic. Validin data is also used in the WireSight Lens Tool, which allows analysts to quickly gather enrichment details on any public IP address or domain on the fly.

This case study shows how PacketWatch Threat Analysts use Validin data to investigate malicious traffic. From there, we pivot to the Validin platform to investigate threat actor infrastructure and uncover additional IP address and domain indicators of compromise (IOCs). We then bring those indicators back into WireSight to conduct additional threat hunts.

PacketWatch integrated the Validin threat intelligence platform to give clients a more complete investigation workflow. Security leaders, IR teams, and threat hunters can identify malicious activity, investigate the infrastructure and patterns behind threat campaigns, and act on newly discovered indicators to help prevent further damage to client assets. This integration gives PacketWatch clients more capabilities and insights to protect their brands and reduce organizational risk.

 

Real World Example

packetwatch-figure-01-packetwatch-console-sessionsFigure 01: Default PacketWatch WireSight Sessions tab

 

In the Sessions tab of the PacketWatch WireSight console, run the following query to search for identified malicious traffic:

threat.\*:* AND network.direction:outbound AND NOT threat.indicator.name:"IP Tracking Domains"

This query returns outbound network connections flagged as threats, excluding those classified as “IP Tracking Domain”. WireSight still tracks and monitors IP Tracking Domains, but because they can lead to false positives, we exclude them from this exercise.

Running this query in a client tenant returns the following session data:

packetwatch-figure-02-session-dataFigure 02: WireSight sessions data

 

These two session records already tell us several useful details about the network traffic. The red bars on the far left side of the image indicate that Validin has flagged the session traffic as malicious. We see an internal IP address connecting to the external IP address 172.67.156[.]216. Between the two sessions, the server returned 29 packets totaling roughly 9 KB of data. We can also see that this traffic occurred over port 443 and connected to cpajoliette[.]com.

To gather more context, let’s review the IP address and hostname in the WireSight Lens Tool. The Lens Tool’s WHOIS data shows that the IP address belongs to Cloudflare. In this case, Validin’s passive DNS data is less useful because thousands of domains may be hosted behind the same Cloudflare IP address.

packetwatch-figure-03-ip-whoisFigure 03: Lens Tool WHOIS data for the IP address

 

However, the Reputation Score for the hostname in the Lens tool provides extra information that is useful to the investigation:

packetwatch-figure-04-reputation-scoreFigure 04: WireSight Lens Tool reputation data for the hostname

 

Many IOC feeds label an IP address or domain as “malicious” without additional context, forcing analysts to spend extra time doing research to correlate the IOC to a particular threat. With Validin-enriched Lens Tool data, we can see who tagged the hostname as malicious (Maltrail), which campaign it is associated with (LandUpdate808), and which third-party resources provide additional context (SANS ISC).

Now that we have a confirmed true positive, let’s pivot to the Validin console for more context on this domain and look for other recent infrastructure tied to the campaign. 

packetwatch-figure-05-cpajoliette-validin consoleFigure 05: Validin summary for cpajoliette[.]com

 

This page provides additional context about the domain. First, we confirm that the domain is associated with the LandUpdate808 fake software update campaign. The link on the page also takes us to the SANS ISC report, which we examine next. We also confirm that the domain uses Cloudflare and now resolves to a different Cloudflare IP address than it did during the captured WireSight session. Finally, the domain’s registration date of December 1, 2010, suggests that it may be a legitimate site that was compromised through a vulnerability.

Taking a short detour to review the SANS ISC report confirms that this domain previously hosted a malicious JavaScript file, d.js, which SANS associates with SmartApeSG, part of the fake software update threat family. The report also shows that the domain leveraged a ClickFix prompt to trick users into downloading malware. 

 

packetwatch-figure-06-sans-ics-smartapesg-referenceFigure 06: Domain observed in the SANS ISC Report (report link)

 

We now have a clearer idea of what to look for in our investigation. Knowing which domain was visited and that the ClickFix was involved, we can review endpoint logs for suspicious cmd.exe or PowerShell commands, as well as any processes launched or created during that timeframe.

Circling back to Validin, we look for additional infrastructure tied to the campaign. In the “Host Connections” tab, we find a potentially useful lead:

packetwatch-figure-07-validin-host-connections-cpajoliette

Figure 07: Validin Host Connections tab

 

The page lists several “JS_LINKS-HOST” records pointing to seemingly unrelated domains. This suggests that these domains contain links to cpajoliette[.]com, potentially as part of an SEO abuse campaign. We test this hypothesis by examining the page source of one of the listed domains. We select bestofmidwest[.]com, view the HTML source, and search for cpajoliette:

packetwatch-figure-08-bestofmidwest-source-codeFigure 08: HTML source for bestofmidwest[.]com

 

This result strongly supports the SEO abuse hypothesis. The threat actors appear to be injecting code into vulnerable WordPress sites to promote their infrastructure.


Visiting the cpajoliette[.]com directly reveals an apparently benign website for the “Joliette Silver Stars Figure Skating Club”:

packetwatch-figure-09-cpajoliette-webpage-screenshotFigure 09: cpajoliette[.]com home page

 

Next, we request the d.js file identified in the SANS ISC report.

packetwatch-figure-10-bronzewhisper-js-codeFigure 10: Redirect after requesting cpajoliette[.]com/d[.]js

 

The request immediately redirects to a new domain and JavaScript file: bronzewhisper[.]top/alias/tenant-asset[.]js. Deobfuscating and analyzing this JavaScript is beyond the scope of this article, but this code functions as a ClickFix loader, further confirming what we already suspected.

Now that we have a new domain IOC, let’s examine it in Validin for additional pivot opportunities:

packetwatch-figure-11-bronzewhisper-validin-a-record

Figure 11: Domain A record in Validin

 

The Resolutions tab shows an A record pointing to a previously unknown IP address. Because this domain is not behind Cloudflare, the IP address may be a useful IOC. We also see that the A record is very new, suggesting that this infrastructure may be new to the campaign. In the Host Connections tab, we look for distinctive attributes that could support additional pivots:

packetwatch-figure-12-bronzewhisper-host-meta-tagFigure 12: bronzewhisper[.]top HOST-META tag in Validin

 

Validin captured the following HOST-META value <meta name=”description” content=”Licensed general contractor specializing in residential and commercial construction projects.”>. Because every Validin data point is pivotable, we can click this value to find any other infrastructure observed using this exact meta description.

packetwatch-figure-13-host-meta-pivot-validinFigure 13: Validin HOST-META pivot results

 

This looks promising! The results include several suspicious .top domains that were recently registered, mostly use the same ASN (AS213230, HETZNER-CLOUD2-AS), and all resolve to IP addresses geolocated in Germany. We now have a growing list of potential IOCs for threat hunting and further pivoting:

178.156.219[.]224
87.99.148[.]129
87.99.159[.]241
87.99.143[.]230
5.161.124[.]201
5.78.196[.]236

bronzewhisper[.]top (original pivot)
cobaltmeadow[.]top
jadepassagehub[.]top
openmeadowlab[.]top

Farther down the page, we find another recently registered domain tagged as malicious under the ZPHP label: 

packetwatch-figure-14-sharpfield-meta-hostFigure 14: Additional domain flagged as malicious

 

ZPHP is a new lead, so let’s pivot to the domain for more detail and assess whether this campaign is related:

packetwatch-figure-15-sharpfield-summary-page-validinFigure 15: Validin summary for sharpfield[.]top

 

Under Reputation Factors, Validin identifies ZPHP as an alias for SmartApeSG, suggesting that sharpfield[.]top may belong to the same campaign as our other IOCs. This entry also links to a SANS ISC report, although we do not see this domain mentioned. So how did this get correlated to that campaign?

 

Additional Pivots

The second link points to the Maltrail list containing this domain as an IOC. This link is extensive, but searching for “sharpfield” shows the domain grouped under two qualifiers. The first is the SANS ISC report already discussed. The second provides another additional clue: BODY_SHA1-HOST=c06768826d06adfea5f86c63fcb01c21c8d67e0f. This value is the SHA1 hash of the domain’s HTML body. Validin includes this fingerprint in its dataset, allowing us to search the hash and identify domains with the same HTML body.packetwatch-figure-16-sha1-body-hash-pivot

Figure 16: SHA-1 body-hash Pivot in Validin

 

This pivot identifies four additional IOCs:

silvercourier[.]top
silvertrailhub[.]top

5.161.248[.]121
104.36.229[.]207

Pivoting into the first new IP address, 5.161.248[.]121, reveals another potentially useful HOST-META value in the Host Connections tab: 

packetwatch-figure-17-ip-host-meta-pivotFigure 17: IOC HOST-META tag

 

This pivot was fruitful previously, so we repeat it here:

packetwatch-figure-18-meta-host-pivot-iocsFigure 18: HOST-META pivot results in Host Connections

 

The pivot identifies one new IP IOC, 178.156.128[.]5, and shows that other IPs and domains using this same meta description have also been associated with the ZPHP campaign.

 

Returning to the Original Pivot

At this point, we return to the earlier bronzewhisper[.]top pivot and investigate its hosting IP address, 178.156.219[.]224:

packetwatch-figure-19-bronzewhisper-ip-pivotsFigure 19: IP address A records in Validin

 

 In the Host Connections tab, we find another meta description observed on the site several days earlier: 

packetwatch-figure-20-host-meta-tag-bronzewhisper-ip

Figure 20: HOST-META tag in Validin

 

This pivot identifies two additional domain IOCs:

ambergallery[.]top
copperhorizon[.]top

We repeat this process by examining meta descriptions and other domains hosted at the identified IP addresses. This yields the following additional IOCs, all registered within the two weeks preceding the investigation:

crimsonterrace[.]top
coralmanor[.]top
ivorycourtyard[.]top
ivorycompass[.]top
silverfolio[.]top
coralregistry[.]top
cedarlanternhub[.]top
granitequill[.]top
stoneharvest[.]top
marblebeacon[.]top
hazelcanvas[.]top
ambercompanion[.]top

One final interesting pivot is the favicon hash e3a46f20be728d46dac88ec757345713. This pivot identifies one additional domain IOC:

saffronjunction[.]top

To validate these IOCs, we can request the JavaScript path observed on the previously identified domains:  

packetwatch-figure-21-saffronjunction-javascript

Figure 21: Matching obfuscated JavaScript

 

The browser also shows that this page uses the same favicon as the original bronzewhisper[.]top pivot:

packetwatch-figure-22-favicon-validationFigure 22: Matching favicon

 

Closing the Loop in PacketWatch WireSight

Now that we have identified these previously unreported IOCs through Validin pivoting, we query the client’s WireSight session data (full packet capture) from the last month to determine whether any of the campaign’s domains or IP addresses were contacted:

\*.host:(crimsonterrace.top OR coralmanor.top OR ivorycourtyard.top OR ivorycompass.top OR jadepassagehub.top OR silverfolio.top OR coralregistry.top OR cedarlanternhub.top OR granitequill.top OR ambergallery.top OR copperhorizon.top OR alabastervoyage.top OR ambercompanion.top OR silvertrailhub.top OR silvercourier.top OR cobaltmeadow.top OR openmeadowlab.top OR bronzewhisper.top OR stoneharvest.top OR marblebeacon.top OR hazelcanvas.top OR saffronjunction.top) OR \*.ip:(178.156.219.224 OR 178.156.128.5 OR 87.99.148.129 OR 87.99.159.241 OR 87.99.143.230 OR 5.161.124.201 OR 5.78.196.236 OR 5.161.248.121 OR 104.36.229.207)

packetwatch-figure-23-pw-session-dataFigure 23: WireSight session data returned by the search query

 

We got a hit! We can now use this telemetry to investigate further and determine whether the attack succeeded.

This case demonstrates the value of going beyond the static threat-feed IOCs by using Validin's dataset to pivot and uncover additional threat actor infrastructure. These newly identified IOCs are added to custom WireSight Signals in Irix, enabling automatic WireSights for future matches.

 

New IOCs

 

178.156.219[.]224
178.156.128[.]5
87.99.148[.]129
87.99.159[.]241
87.99.143[.]230
5.161.124[.]201
5.78.196[.]236
5.161.248[.]121
104.36.229[.]207

crimsonterrace[.]top
coralmanor[.]top
ivorycourtyard[.]top
ivorycompass[.]top
jadepassagehub[.]top
silverfolio[.]top
coralregistry[.]top
cedarlanternhub[.]top
granitequill[.]top
ambergallery[.]top
copperhorizon[.]top
alabastervoyage[.]top
ambercompanion[.]top
silvertrailhub[.]top
silvercourier[.]top
cobaltmeadow[.]top
openmeadowlab[.]top
bronzewhisper[.]top
stoneharvest[.]top
marblebeacon[.]top
hazelcanvas[.]top
saffronjunction[.]top

 

To learn more about PacketWatch threat hunting offerings, visit www.packetwatch.com. To learn more about Validin, visit www.validin.com.

 



John Garner
John has worked in Cyber Security for over 10 years. His experience includes different analyst roles in various SOCs, security engineering for cyber ranges, and threat intelligence at PacketWatch.

 

This article is provided FREE to the cybersecurity community.

Visit our Beyond the Threat Feed Blog for more articles.

Visit our Cyber Threat Profile Blog for threat profiles.

Visit our Cyber Threat Intelligence Blog for intelligence reports.

 

 


Subscribe to be notified of future cyber threat intelligence posts:

 

Table of Contents
Case Study: PacketWatch and Validin

7 min read

Case Study: PacketWatch and Validin

This case study shows how to investigate malicious traffic, a threat actor's infrastructure, IP addresses, and domain indicators of compromise.

Read More
Future Team Sixty43 Reports.
Be notified when Cyber Threat Intelligence Reports, Threat Profiles, or Beyond the Threat Feed articles are published.