content
I. Overview
Today, the "Sohu charles" user who is certified by Weibo as "Zhang Chaoyang, Chairman and CEO of Sohu Company" released information saying that the internal mailboxes of Sohu employees were stolen, and they were attacked by phishing. Small.
Based on the current information to trace the source, it was confirmed by the Weibu Online Intelligence Bureau that this was another "phishing" attack launched by the Ganb black production organization (named internally by Weibu Online). As early as last year, the Weibu Online Intelligence Bureau captured and continued to track a group of gray and black production organizations that have been phishing scams through a large number of mass phishing emails and text messages in the name of receiving medical security funds and provident fund subsidies since the end of 2021. Around March 2022, the Ganb black industry group attacked more and more rampantly, and launched a large-scale phishing attack on the financial industry. The Weibu Intelligence Bureau has reported its activities in a timely manner. The specific analysis of the Weibu Intelligence Bureau is as follows:
-
The black industry organization generates a variety of corresponding language templates for multiple industries, and sends a large number of emails and text messages to conduct widespread phishing. The purpose is to steal the victim's bank card, mobile phone number, bank card password, ID number and other information and defraud them.
-
The black production organization relationship model belongs to "one person develops, distributes many people", that is, the upstream system supplier is responsible for developing the corresponding management platform framework, and after the development is completed, the use rights of their downstream sales system accounts involve multiple people.
-
The association found that the black production organization was active as early as December 2021 and has become increasingly rampant. Victims are more involved.
-
The black production organization uses DGA technology to generate a large number of domain names as a springboard to ensure the viability of its website and at the same time it uses a number of domain names for scheduling, ultimately pointing to the organization's real assets.
-
The assets and springboard domain names used by the black industry organization have no obvious characteristics, there is no obvious pattern in the selection of assets, and the deployment of assets changes very quickly, which is convenient to quickly convert the domain name bound to the assets when the domain name is banned, and ensure that its related assets are continuously accessible.
-
The assets used have strong anti-reconnaissance awareness. The relevant domain names and management background sites hide information, and use the full-flow DNS resolution service to distribute traffic, which ultimately leads to the Hong Kong Amazon server owned by the hacker organization.
2. Asset Analysis
3.1 Asset Features
1. In order to manage a large number of DGA domain names generated and ensure that the domain name resolves to the designated fraud interface, the organization uses the configuration cname to point to a specific scheduling domain name to classify and schedule DGA domain names. After the DGA domain name is accessed, it will first resolve to a site*.ganb.run domain name pointed to by the configuration cname, and then the site*.ganb.run domain name will point to the corresponding resolution ip to start business communication. The principle is shown in the following figure:
According to the basic configuration information of its service, the following characteristics can be found: The public domain name of site*.ganb.run is used as the CNAME scheduling domain name. The public domain name is as follows:
-
site05.ganb.run
-
site06.ganb.run
-
site07.ganb.run The actual domain name access method, DNS resolution is shown in the figure below, the phishing domain name cname is sent to site*.ganb.run, and then site*.ganb.run schedules and resolves to the actual resolution ip.
At present, there are 12 IPs finally resolved by *.ganb.run, including various cloud hosts at home and abroad. The address is as follows:
-
119.28.66.157
-
27.124.17.20
-
103.158.190.187
-
47.242.105.202
-
103.118.40.161
2. After collecting and confirming a large number of related assets and associated assets of the black production organization, the following characteristics were found: The domain names parsed after scanning the QR codes in the phishing emails are generally automatically generated irregular domain names (commonly known as DGA domain names), which are generated The algorithm is unknown, but the random number or letter combination with the length of the registered domain name is generally 4-6 digits, and it is used in combination with free top-level domain names such as run, xyz, pro, and nuo, as shown in the following figure:
3.2 Traceability results
1. Through certain traceability analysis methods, we entered the backstage general control address of the gang, and obtained the detailed information of the website. As shown below:
Through analysis, it is found that the platform has a total of 8 user accounts, which use different phishing techniques and templates for phishing. Therefore, it is speculated that the developer's relationship model of the black production organization belongs to "one person development, multiple distribution", that is, the upstream system supplier is responsible for developing the corresponding management platform framework, and after the development is completed, the use rights of its downstream sales system account. According to the analysis of account password characteristics, the system developer himself also used two of the accounts to participate in the phishing attack.
2. By using the account and password to log in to the corresponding background, a large amount of user information is found in the background interface. According to rough statistics, the overall number of victims has reached thousands, and the number of victims submitted in the background is still increasing.
In its background settings, it is found that in its background system settings, there are built-in switches for filling in some phishing page fields, such as name switches, bank card number switches, etc. Aims to specify mobile phone victim related information.
At the same time, judging by the function, it has a total of 8 sets of fishing templates built-in, and the pop-up text of the jump can be customized.
In its background settings, it is found that in its background system settings, there are built-in switches for filling in some phishing page fields, such as name switches, bank card number switches, etc. Aims to specify mobile phone victim related information.
The specific template is as follows:
-
ETC template (already used in the wild)
-
New-ETC template (already used in the wild)
-
Social Security Template (already used in the wild)
-
Medical insurance template (already used in the wild)
-
a group template
-
Business template
-
A policy template
-
A certain East-A political template
-
A fish template (already used in the wild) Some phishing email templates are as follows:
Some phishing website templates are as follows:
It is recommended that companies conduct internal self-checks based on the above information to see if they have received emails and text messages involving relevant topics and texts, and notify employees of early warnings in a timely manner, reminding employees not to trust such words and websites.
3. Through the analysis of the above various data dimensions, it is judged that the organization is a typical black production organization. It conducts mass phishing with life-related words such as provident funds and medical insurance funds, and guides victims to the fraudulent websites it deploys. There are already a large number of victims. At the same time, different from the previous automated phishing methods of black production, the organization uses the "manual duty" method to improve the success rate of phishing, that is, the back-end staff will prompt pop-up boxes according to the information filled in and submitted by the victims in real time, accurately guiding and defrauding the victims.
Phishing attacks are usually based on social engineering, exploiting the psychological loopholes of employees and bypassing the passive defense technologies/measures of enterprises, thus leading to "hit", which is one of the most critical factors for successful phishing attacks. This has formed the current embarrassing situation. Most of the prevention of phishing relies on employees' self-consciousness, and it is necessary to have "sightly eyes" to screen.
4. Through the domain name management of its general control background, it is found that the black industry organization currently has a large number of DGA springboard domain names, a total of 831, to quickly change the domain name binding deployment and fight against domain name bans.
At the same time, through its domain name addition time record, it was found that the relevant domain name was added as early as December 26, 2021, which proves that the organization has been active at least around December 2021.
3. Event Analysis
The Weibu Intelligence Bureau has monitored and found a number of email and text message frauds targeting domestic mobile phone users by black industry organizations.
The detailed analysis of the fraud methods is as follows:
3.1 Mail Delivery
First of all, the black production organization sent mass emails to the victim’s mailbox or mass text messages to the victim’s mobile phone (mainly by email). The text of the email falsely claimed that “the finance department issues salary subsidies, which can be obtained by scanning the code”, and “receiving medical insurance benefits”. ” etc. to attract the interest of victims, the organization used DGA domain name generation technology to generate a large number of DGA domain names used as a springboard, and turned them into QR codes. The victim scans the QR code on the mobile phone to parse the corresponding phishing page.
3.2 Fraud
After scanning the QR code with your mobile phone, you will enter the corresponding phishing page. It is worth mentioning that in the process of jumping, it will obtain the characteristics of the request traffic (UserAgent field and screen resolution and other information) to distinguish the victim's Phone system category (Android, Apple).
When it is detected that the access device is a computer, it will prompt "Please use the mobile phone to access". This page is mainly used to induce the victim to fill in the detailed information such as bank card, name, mobile phone number, ID number and so on.
When the victim fills in the information truthfully and submits it, the phishing page will prompt a pop-up box, and the victim will be prompted for the next step of fraud through a real-time customized prompt pop-up box in the background. Such as "CVV error, please re-enter the validity period and CVV", "Please enter the online banking password", etc., through the background real-time manual for the victim to accurately defraud the victim in different situations.
3.3 How to respond
Passive defense is difficult to work, which requires us to take active defense from a new angle and through new methods. For example, Weibu Online's OneDNS, which combines DNS and threat intelligence, will screen the domain name when clicking on a link or "scan code" to jump to a "phishing website". Once it is found to be a malicious domain name such as phishing, it will stop parsing And return to the interception page, indicating that the access is risky.
Note: OneDNS interception page, OneDNS will compare with the threat intelligence database during domain name resolution. Once a malicious domain name is found, it will stop parsing and return to the interception page
OneDNS application trial address: https://page.ma.scrmtech.com/landing-page/index?pf_uid=15831_1728&id=11278&channel=28881