# Cert Safari: Leveraging TLS Certificates to Hunt Evil

**[prevailion.com/cert-safari-leveraging-tls-certificates-to-hunt-evil/](https://www.prevailion.com/cert-safari-leveraging-tls-certificates-to-hunt-evil/)**

July 27, 2021

27 July 2021

Proactively hunting for malicious infrastructure is a persistent puzzle for threat researchers to
work and solve. It is a complex and evolving problem, made more complex (though not
[unmanageable) by Domain Privacy and](https://en.wikipedia.org/wiki/Domain_privacy) [GDPR, which obscure WHOIS information that](https://umbrella.cisco.com/blog/gdpr-and-whois)


-----

Analysts and Researchers would otherwise use to identify trends and corroborate other
observations to increase confidence in attribution of infrastructure clustering. This has forced
researchers to identify other methods to proactively hunt for malicious infrastructure.

**How to Leverage TLS Certificates**

Assisted by an increasing body of knowledge generated by thoughtful, forward-leaning
analysts working on this very problem {1-9}, the Prevailion Adversarial Counterintelligence
Team (PACT) leverages TLS certificates to compensate for the investigatory vacuum left by
WHOIS redactions. But, before we dive into an analytical methodology along with an
example that leverages this source of information, a quick primer on how the internet works:

Domain names, like “Wikipedia.org,” are not required for network communications, but
an IP address is (the internet runs on TCP/IP, after all).
Domain names provide a sense of brand, recognition, and utility that IP addresses
cannot (IP addresses are for machines, domain names are for people).
Most legitimate sites will have a domain name that is mapped to (one or more) IP
addresses.

The push for encrypted communications over the internet, mainly due to the influence of
ecommerce, made much of the day-to-day communications between a user’s computer and
a website (on a domain) encrypted using the TLS (Transport Layer Security) protocol. To
implement and use TLS, a website must first prove its identity by presenting a TLS
certificate. The TLS certificate contains information about the website (domain) and the
organization that runs and owns that domain. It is further countersigned by a trusted party
(the Certificate Authority, or CA), whose sole job is to verify that the site is truly owned and
operated by the entity claiming ownership.

TLS certs are intended to bind together a domain name with an organizational identity {10}.
For example, the TLS cert for Wikipedia {Figure 1, below} displays the Subject Common
Name (CN=*.wikipedia.org), effectively proving the web server’s legitimate right to serve any
webpage from the domain (or any subdomain) ending in “wikipedia.org”. Additionally, it can
serve web pages from the other domains on the cert, as agreed upon by the entity
(Wikipedia) and the CA (Let’s Encrypt).


-----

_Figure 1 – Wikpedia’s TLS certificate_

Armed with the understanding that TLS certificates are required for encrypted
communications between a computer and a website (domain), and that IP addresses are
required for network communications (but domain names are not), it stands to reason that
TLS certificates must be associated with the IP addresses hosting a given domain.

Malicious actors must execute most, if not all, of the following steps to create supporting
infrastructure for their operations {7}:

1. Create a registration persona
2. Buy a domain name from a registrar/reseller
3. Set up hosting at an IP address
4. Set up target or operation-specific subdomain infrastructure
5. Create an SSL certificate if requiring HTTPS communication
6. Enable services at a hosting IP address or the domain
7. Set up domain with a website or redirect


-----

Each of these steps provides an opportunity for the researcher to identify tactics or artifacts
that can be used to cluster adversary activity or infrastructure. This methodology was
recently used by the PACT to uncover what appears to be a cluster of unattributed activity
that has yet to be reported on, hosted mainly on Vietnamese infrastructure and using domain
names with a technology and cryptocurrency theme.

The PACT initially identified a blacklisted certificate, listed as a generic “Malware C&C,” on
the SSL certificate blacklist (SSLBL) provided by the amazing folks at ABUSE.ch {11}.
Analysts identified the cert on Censys.io by its SHA1 fingerprint, where it was associated
with “google247[.]xyz” {Figure 2 below}

_Figure 2 – the blacklisted certificate from SSLBL_

To identify the hosting infrastructure, analysts used DomainTools’ WHOIS tool to query the
domain associated with the certificate. Two notable facts were identified:

1. The domain is hosted on 14.241.72[.]25
2. Four other domains are hosted on the same IP {Figure 3, below}.


-----

_Figure 3 – WHOIS info for the domain associated with the blacklisted certificate_

Analysts also noted the following additional facts for future pivots:

1. Registrant Organization: Nguyễn Quang Thuỷ
2. Registrar: Mat Bao Corporation
3. Name Servers: NS1.MATBAO.COM & NS2.MATBAO.COM

Identifying the hosting address of the domain enabled a pivot to Shodan {Figures 4,5,
below}, which identified an additional domain associated with that IP: sellview[.]xyz.


-----

-----

_Figure 4,5 – Results of Shodan query for the host, identifying it by IP and TLS certificate_

Censys was used to backstop the findings from Shodan, positively identifying both the IP and
the certificate seen on the target IP in Shodan {Figures 6,7, below}:


-----

-----

_Figure 6 – IP corroboration from Censys_

_Figure 7 – Certificate corroboration from Censys_

The certificate structure for sellview[.]xyz is similar in structure to the original certificate for
google247[.]xyz (from the SSLBL): the “Issuer DN” string is identical; validity period is 1 year,
and the “Names” values are identically structured. There are now two domains with
overlapping certificate characteristics being hosted on IP 14.241.72[.]25. Additional
similarities can be seen within the WHOIS registration data: the registrant information was


-----

identical (Registrant Organization: Nguyễn Quang Thuỷ; Registrar: Mat Bao Corporation,
and nameservers). Screenshots of both domains using URLSCAN.io also proved to be
identical: a blank white screen with “Hello.” written in black text in the top-left corner {Figure
8}.

_Figure 8 – Screenshot of the two domains_

The matching WHOIS registration data, along with the identical certificate structure, hosting
infrastructure, and URLSCAN website screenshots, indicate it is highly likely this activity can
be clustered.

Next, PACT pivoted on the IP in an attempt to identify additional domains that might be
clustered with the observed activity. Querying the IP using passive DNS and domain
intelligence tools corroborated the hosting of the previously identified domains as well as
dozens of other domains registered under the *.xyz TLD.

Some were immediately notable due to their similarity in name or theme:

1. google360[.]xyz
2. shippro[.]xyz
3. btc247[.]xyz
4. btc360[.]xyz
5. follow247[.]xyz
6. follow360[.]xyz
7. forex247[.]xyz
8. forex24h[.]xyz
9. gold247[.]xyz
10. gold360[.]xyz

11. googlevn[.]xyz
12. guess247[.]xyz
13. guess360[.]xyz
14. mailgoogle[.]xyz

Others appeared to target a Vietnamese-speaking audience:

1 Giaovat[ ]xyz (translated*: “giao vat” = delivery)


-----

2. Timviec[.]xyz (translated : tim viec = heart)
3. Xemhang[.]vn (translated*: “xem hang” = see the cave)
4. Xemhang[.]xyz (see above)
5. Xuatban[.]xyz (translated*: “xuat ban” = leave you)

*translation provided using Google Translate

The shared theme of the domains (technology, cryptocurrency, re-use of numbering schemes

[e.g., btc247, gold247, guess247] and the consistent use of the “.xyz” TLD), as well as the
shared hosting infrastructure (IP 14.241.72[.]25), along with the overlapping WHOIS data, is
used to loosely cluster this activity.

All domains listed above (22 in total) share the following characteristics:

1. Hosted (currently or previously) on IP 14.241.72.25
2. Registrant Organization: Nguyễn Quang Thuỷ
3. Registrar: Mat Bao Corporation
4. Name Servers: NS1.MATBAO.COM & NS2.MATBAO.COM

**Additional Analysis**

In keeping with the subject of this post, certificate analysis on all 22 domains continued
strengthening the case for clustering this activity. 20 of the 22 domains have overlapping
certificate characteristics: they were previously registered with 90-day certificates from
Certificate Authority “ZeroSSL”, and 13 have a current 12-month certificate from Certificate
Authority Sectigo. The Sectigo certificates share a common naming schema for the
website/domain in the Common Name (CN) and Subject Alternative Names (SAN) as well as
the ‘Issuer DN’ string “C=GB, ST=Greater Manchester, L=Salford, O=Sectigo Limited,
CN=Sectigo RSA Domain Validation Secure Server CA”. Both the Sectigo and ZeroSSL
certificates share the same naming schema in the CN and SAN fields.

Certificate histories were available for some of the domains as far back as 2016, which also
revealed that this actor has been using multiple certificate authorities (Sectigo/Comodo,
ZeroSSL, Let’s Encrypt). Expired certificates for some domains also revealed additional
domains (via entries in the CN or SAN fields), but these domains were not included in the
findings as historical hosting data was not available. It appears from certificate timestamps
that the actor was using the ZeroSSL certs in early 2021, then recertified their domains using
Sectigo as the ZeroSSL certs began expiring. The most recent certifications have a period
of validity beginning on 08 July 2021 (for both btc360[.]xyz and btc247[.]xyz), indicating that
the actor is actively maintaining this infrastructure. The expired ZeroSSL certs are
timestamped largely from early 2021, with most valid beginning dates clustered in March
2021. Certificate histories could be identified as far back as 2016 for a few select domains,
but the actor appears to have begun building out the current cluster of infrastructure in mid2020 (June/July).


-----

In order to visualize current and potential connections, the indicators were loaded into
VirusTotal Graph. VT Graph enabled analysts to further pivot on malicious samples
downloaded from and communicating with the domains and hosting infrastructure, as well as
identify URLs and sub-domains clustered with the identified domains.

Further analysis of the malware hosted within these domains reinforces the
interconnectedness of the network. The identified samples relied heavily on scripting and
LOLbins to establish persistence in the victim machine and communicate with the threat
actor. Additional payloads and scripts were retrieved from btc247[.]xyz. Communication was
made via SMTP from btc247[@]sellview[.]xyz to 247@sellview[.]xyz leveraging a mailserver
at emailserver[.]vn, a large Vietnamese webmail provider. {Figure 9,10}

_Figure 9 – Network traffic generated by infection_


-----

_Figure 10 – SMTP communication from victim machine_

The email attachment contains information from the victim machine indicating if it has a
configuration file for TeamViewer or a specific cryptominer. Samples of this cryptominer were
found in an open directory on one of the domains in this network. AeroAdmin is installed for
remote control of the victim machine, but we were unable to link the AeroAdmin account
back to any specific group or actor at this time.

**Conclusion**

Redaction of registration data previously available via WHOIS has left Threat Researchers
and Threat Intel Analysts with a gap that can be bridged by investigation and clustering of
TLS Certificates to identify adversary infrastructure. Thanks to the push for Certificate
Transparency{12,13}, each CA continuously updates a permanent, append-only record of all
certificates that have been associated to domains, which can then be leveraged to identify
hosting infrastructure (and even adversary TTPs) by searching the data provided by the
good folks doing the public service of scanning the internet {14}. Researchers hunting
malicious infrastructure can continue to ply their trade while society grapples with GDPR and
privacy law.

**Notes on Analytical Gaps:**

1. Prevailion Analysts do not currently possess region-specific, nuanced knowledge of the

Vietnamese internet hosting market, so something like the choices of registrar may be
restricted enough that multiple entities might be forced to use the same registrar and
name server (leading to false confidence in clustering activity).
2. Long term hosting data (SSL certificate scans or pDNS data) may have enabled further

pivot opportunities based upon domains observed in expired certificates.

**REFERENCES:**

1. https://medium.com/@mark.parsons/hunting-a-tls-certificate-series-post-1
6ad7adfebe44
2. [Mark Parsons @ SANS DFIR: Hunting Cyber Threat Actors with TLS Certificates]

[(https://www.youtube.com/watch?v=SieSrv8RGic)](https://www.youtube.com/watch?v=SieSrv8RGic)
[3. [Ryan Kovar @ SANS DFIR:](https://www.youtube.com/watch?v=QA5OTUVqJiw)](https://www.youtube.com/watch?v=QA5OTUVqJiw)


-----

[4. https://www.riskiq.com/blog/external-threat-management/threat-hunting-post-whois/](https://www.riskiq.com/blog/external-threat-management/threat-hunting-post-whois/)
5. https://www.domaintools.com/resources/blog/analyzing-network-infrastructure-as
[composite-objects?utm_campaign=current-events-to-widespread-campaigns-pivoting-](https://www.domaintools.com/resources/blog/analyzing-network-infrastructure-as-composite-objects?utm_campaign=current-events-to-widespread-campaigns-pivoting-from-samples-to-identify&utm_source=Blog)
from-samples-to-identify&utm_source=Blog
[6. https://osintcurio.us/2019/03/12/certificates-the-osint-gift-that-keeps-on-giving/](https://osintcurio.us/2019/03/12/certificates-the-osint-gift-that-keeps-on-giving/)
[7. https://threatconnect.com/blog/infrastructure-research-hunting/](https://threatconnect.com/blog/infrastructure-research-hunting/)
[8. https://threatconnect.com/blog/track-to-the-future/](https://threatconnect.com/blog/track-to-the-future/)
9. https://threatconnect.com/blog/using-fancy-bear-ssl-certificate-information-to-identify
their-infrastructure/
[10. https://www.globalsign.com/en/ssl-information-center/what-is-an-ssl-certificate](https://www.globalsign.com/en/ssl-information-center/what-is-an-ssl-certificate)

[11. https://sslbl.abuse.ch/](https://sslbl.abuse.ch/)
12. https://www.rapid7.com/blog/post/2018/01/04/certificate-transparency-the-gift-that
keeps-giving/
13. [https://transparencyreport.google.com/https/certificates?hl=en](https://transparencyreport.google.com/https/certificates?hl=en)
14. [https://scans.io/](https://scans.io/)


-----