Godaddy DNS System Still Compromised To Deliver Yet Another Gandgrab Ransomware Campaign

finding fake

Last week we reported on a fairly large scale Gandcrab ransomware campaign that was assisted in delivery via a security hole in Godaddy (and almost certainly other major DNS providers). Some of the major tech sites reported on the DNS compromise with a message that Godaddy was aware of it & was “fixing” the problem. Well 10 days later it still isn’t fixed and the criminals are continuing to use the “exploit”, Misconfiguration, or security hole in Godaddy DNS system.

Update 3 February 2019: I have heard back from a member of Godaddy Security team, who assures me the misconfiguration was fixed last week to prevent further usage of the vulnerability, but some dangling domains that had already been added to a miscreant’s account were missed. They are now reviewing & searching again to hopefully finally clear up the situation and prevent any further occurrence. We know from the original research quoted in the 2 articles that other major DNS providers are extremely likely to be vulnerable. I hope they will also examine their services & fix anything found. I can understand the problems that a company like Godaddy that hosts millions of sites and DNS entries will have.

It is relatively simple to scan all DNS entries and check whether they direct to a Godaddy site or an off-site external host. The problem comes in determining whether the external host is legit or fraudulent. (The campaign this week used hosting companies not previously known to be involved with this). Many people purchase a domain from Godaddy & consequently use Godaddy’s DNS service, but host their website or email externally. There are also lots of users who purchased a domain from another domain registrar ( quite often because of special offers & extremely low introductory prices ) but host on Godaddy or have an account on Godaddy so point the domain to their Godaddy account and use Godaddy DNS services, but still host some services externally as well.

To further exacerbate the problem, quite a large number of people, especially companies, purchase a domain name, either never use it or have used it but no longer need it, but keep it registered to prevent a competitor or anybody else using it. It appears to be this final group who have stopped using the domain but left the DNS on the Godaddy DNS server, without any existing zone file that tells where requests for that domain name should be sent to that have been vulnerable to the misconfiguration exploit. The Misconfiguration had allowed any Godaddy account holder that used or with access to the same DNS server(s) as a “vulnerable” domain name ( One without an existing zone file) to add that domain name to their account & direct it to a server of their choice.

This can happen on any server. In fact this has been known to be a problem on Cpanel & WHM controlled “shared” servers where the settings clearly warn about this problem. It appears to be the “Allow Remote Domains” setting or a variation of it that has allowed this to happen.

Cpanel WHM domain set up settings

I would think that the permanent “cure” for this would be for Godaddy & all other Multi-Tenant DNS provider to scan all their systems for “Orphaned” DNS entries where the domain points to the DNS service  and has no zone file associated with it & automatically create a simple zone file that sends all requests to a “Holding” or “Adverting” page on the service.  This is what the majority of Domain name registrars do with newly created domains, that immediately point to a holding page saying ” This domain was purchased on domainname.com. You will see this page until the owner sets up a site.”

These posts by Brian Krebs  and  ArsTechnica give details about the “exploit” and the way is has been used  for several months in massive scam campaigns.

I first posted about this Godaddy compromise / vulnerability / Security hole  in early December

These malware campaigns delivering Gandcrab Ransomware ( and probably other malware campaigns)are not anywhere near the scale of the “Bomb Threats” or “sextortion” Scams but are numerous enough for some researchers to notice, but not for the mainstream tech media to pick up on at this stage.

What makes these malware laden emails much more likely to be delivered is the fact that the sending domains all have a good reputation. There are dozens, if not hundreds of domains involved in this particular campaign. Almost all the domains have been registered for many years, some for more than 10 years.

There have been 2 basic themes of this campaign that started yesterday 1 February 2019. DHL deliveries & E-fax messages

Some subjects and alleged senders include:

  • Urgent delivery                 DHL Express
  • Shipment details              DHL Express
  • Order details                     DHL Express
  • Shipping status                 DHL Express
  • Nеw еFAX mеssage          AT&T E-FAX
  • Nеw еFAX mеssagе          Sogatel E-FAX

 

Email Addresses that have been seen used in this campaign ( Note all the domains start with an “A or a B “, Which was the same pattern with last week, so I am pretty sure these criminals will be saving up the rest of the alphabet for later campaigns. Or there are so many vulnerable domains starting with “A or B ” using Godaddy DNS services that the criminals have no need to go any further down the alphabet). These are only the email addresses & domains that I saw or found easily via my contacts on Twitter. I am certain that somebody with access to VirusTotal intelligence or one of the companies specialising in spam & malware filtering services will find many more examples of the DNS compromises.

  • florian@ajaxd.com
  • hannah@ashhuang.com
  • niko@ashhuang.com
  • niko@antiquesofperkasie.com
  • frank@allegroblack.com
  • Janine@allegroblack.com
  • florian@alienjewels.com
  • marcus@anthonytjon.com
  • Niko@anthonytjon.com
  • niko@ambrosetech.com
  • marcel@aperfectvacuum.com
  • julian@alanfreedandrocknroll.com
  • sofia@antiquesofperkasie.com
  • Sofia@acronelektronik.com
  • Hannah@askaboutdiet.com
  • Hannah@basketballcoachreport.com
  • Sofia@basketballcoachreport.com

All the domains use Godaddy DNS servers NS57.DOMAINCONTROL.COM and NS58.DOMAINCONTROL.COM

All these domains are hosted on 2 IP ranges Both companies are new entrants to the list of hosting services involved in this “Spammy Bear” campaign

  1. 185.144.28.*    AS44493 Chelyabinsk-Signal LLC  A Russian Hosting company
  2. 89.191.234.*   AS40824 WZ Communications Inc.  Based In Texas USA

 

Here are a few screen shots of the ones I received followed by a screengrab from a twitter post by another researcher

Gandcrab emails

email

fake emails

Grandcrab table

Next an example of the Fake DHL delivery messages

Next an example of the Fake DHL delivery messages

Next an example of the E-Fax emails ( with the e-fax ones all the companies in the body of the email are different & random)

Fake E-Fax Email

Now to get to the malware

Images from opening the word docs. The DHL ones can have either word doc attachment. All the e-fax ones had the same looking attachment.

Fake DHL Doc

I have found 3 different word docs involved in this campaign so far VirusTotal [1] [2] [3] each one has a different displays when opened & different macros & 2 of them contact different urls to download the payload.All 3 payloads are different sizes and different file hashes

Virustotal reports on Payloads [1] [2] [3]

Anyrun reports [1] [2] [3]

I am also seeing 2 different ransom note addresses today, so we possibly have 2 different affiliates involved in this campaign

http://gandcrabmfe6mnef.onion/b6314679c4ba3647

http://gandcrabmfe6mnef.onion/5124d7737cd9e0e6

[1] Main object- “Urgent notice.doc”
sha256 5b27d6e148f481c5f93fd09ec64bd32c7b38de5761e8dbc8f36ee2689ea7654d
sha1 cf66220f5cb981b1f6d9ac9e47788345bc60b95c
md5 64f3f3cc1e121b295da1ff74cc180473
Dropped executable file
sha256 C:\windows\temp\putty.exe 07de185bb18610f471a31358c74c2e2da0dc505ade21cbe9cae5c8ba3fd66add
DNS requests
domain www.kakaocorp.link
domain xperception.net
Connections
ip 104.244.74.55
ip 46.30.41.117
HTTP/HTTPS requests
url http://xperception.net/putty.exe
url http://www.kakaocorp.link/
[2] Main object- “Notice (2).doc”
sha256 959b2b01def120741a46405acccc86e22e149e463d6fce1eed395a1c9a7410a4
sha1 7b22f709ffea29dfe760724136963e709b82a8c5
md5 406283cd43a13b75b315c7a0de74c631
Dropped executable file
sha256 C:\windows\temp\putty.exe 5b13e0c41b955fdc7929e324357cd0583b7d92c8c2aedaf7930ff58ad3a00aed
DNS requests
domain www.kakaocorp.link
Connections
ip 46.30.41.117
ip 104.244.74.55
HTTP/HTTPS requests
url http://104.244.74.55/tomandjerry.exe
url http://www.kakaocorp.link/
url https://www.kakaocorp.link/includes/imgs/kerues.bmp
[3] Main object- “Notice.doc”
sha256 47278a4ec8cdb9828940b746acfa0671c8204d09b32c48c8c6131f50cfaa7ba4
sha1 3740393b8e31fb7e638b9a27c7f66927136c1039
md5 6991b4f5b0d9c3b8dec023e91144f750
Dropped executable file
sha256 C:\windows\temp\putty.exe 281972a2289e43f63cd4c00ce2b85c4a6cd7f95948cc9f656d4f7c2a59def40f
DNS requests
domain xperception.net
domain www.kakaocorp.link
Connections
ip 46.30.41.117
ip 104.244.74.55
HTTP/HTTPS requests
url http://xperception.net/putty.exe
url http://www.kakaocorp.link/
url https://www.kakaocorp.link/content/tmp/meimth.jpg