Last week we reported on a fairly large scale Gandcrab ransomware campaign that was assisted in delivery via a security hole in Godaddy (and almost certainly other major DNS providers). Some of the major tech sites reported on the DNS compromise with a message that Godaddy was aware of it & was “fixing” the problem. Well 10 days later it still isn’t fixed and the criminals are continuing to use the “exploit”, Misconfiguration, or security hole in Godaddy DNS system.
Update 3 February 2019: I have heard back from a member of Godaddy Security team, who assures me the misconfiguration was fixed last week to prevent further usage of the vulnerability, but some dangling domains that had already been added to a miscreant’s account were missed. They are now reviewing & searching again to hopefully finally clear up the situation and prevent any further occurrence. We know from the original research quoted in the 2 articles that other major DNS providers are extremely likely to be vulnerable. I hope they will also examine their services & fix anything found. I can understand the problems that a company like Godaddy that hosts millions of sites and DNS entries will have.
It is relatively simple to scan all DNS entries and check whether they direct to a Godaddy site or an off-site external host. The problem comes in determining whether the external host is legit or fraudulent. (The campaign this week used hosting companies not previously known to be involved with this). Many people purchase a domain from Godaddy & consequently use Godaddy’s DNS service, but host their website or email externally. There are also lots of users who purchased a domain from another domain registrar ( quite often because of special offers & extremely low introductory prices ) but host on Godaddy or have an account on Godaddy so point the domain to their Godaddy account and use Godaddy DNS services, but still host some services externally as well.
To further exacerbate the problem, quite a large number of people, especially companies, purchase a domain name, either never use it or have used it but no longer need it, but keep it registered to prevent a competitor or anybody else using it. It appears to be this final group who have stopped using the domain but left the DNS on the Godaddy DNS server, without any existing zone file that tells where requests for that domain name should be sent to that have been vulnerable to the misconfiguration exploit. The Misconfiguration had allowed any Godaddy account holder that used or with access to the same DNS server(s) as a “vulnerable” domain name ( One without an existing zone file) to add that domain name to their account & direct it to a server of their choice.
This can happen on any server. In fact this has been known to be a problem on Cpanel & WHM controlled “shared” servers where the settings clearly warn about this problem. It appears to be the “Allow Remote Domains” setting or a variation of it that has allowed this to happen.
I would think that the permanent “cure” for this would be for Godaddy & all other Multi-Tenant DNS provider to scan all their systems for “Orphaned” DNS entries where the domain points to the DNS service and has no zone file associated with it & automatically create a simple zone file that sends all requests to a “Holding” or “Adverting” page on the service. This is what the majority of Domain name registrars do with newly created domains, that immediately point to a holding page saying ” This domain was purchased on domainname.com. You will see this page until the owner sets up a site.”
These posts by Brian Krebs and ArsTechnica give details about the “exploit” and the way is has been used for several months in massive scam campaigns.
I first posted about this Godaddy compromise / vulnerability / Security hole in early December
These malware campaigns delivering Gandcrab Ransomware ( and probably other malware campaigns)are not anywhere near the scale of the “Bomb Threats” or “sextortion” Scams but are numerous enough for some researchers to notice, but not for the mainstream tech media to pick up on at this stage.
What makes these malware laden emails much more likely to be delivered is the fact that the sending domains all have a good reputation. There are dozens, if not hundreds of domains involved in this particular campaign. Almost all the domains have been registered for many years, some for more than 10 years.
There have been 2 basic themes of this campaign that started yesterday 1 February 2019. DHL deliveries & E-fax messages
Some subjects and alleged senders include:
- Urgent delivery DHL Express
- Shipment details DHL Express
- Order details DHL Express
- Shipping status DHL Express
- Nеw еFAX mеssage AT&T E-FAX
- Nеw еFAX mеssagе Sogatel E-FAX
Email Addresses that have been seen used in this campaign ( Note all the domains start with an “A or a B “, Which was the same pattern with last week, so I am pretty sure these criminals will be saving up the rest of the alphabet for later campaigns. Or there are so many vulnerable domains starting with “A or B ” using Godaddy DNS services that the criminals have no need to go any further down the alphabet). These are only the email addresses & domains that I saw or found easily via my contacts on Twitter. I am certain that somebody with access to VirusTotal intelligence or one of the companies specialising in spam & malware filtering services will find many more examples of the DNS compromises.
All the domains use Godaddy DNS servers NS57.DOMAINCONTROL.COM and NS58.DOMAINCONTROL.COM
All these domains are hosted on 2 IP ranges Both companies are new entrants to the list of hosting services involved in this “Spammy Bear” campaign
- 185.144.28.* AS44493 Chelyabinsk-Signal LLC A Russian Hosting company
- 89.191.234.* AS40824 WZ Communications Inc. Based In Texas USA
Here are a few screen shots of the ones I received followed by a screengrab from a twitter post by another researcher
Next an example of the Fake DHL delivery messages
Next an example of the E-Fax emails ( with the e-fax ones all the companies in the body of the email are different & random)
Now to get to the malware
Images from opening the word docs. The DHL ones can have either word doc attachment. All the e-fax ones had the same looking attachment.
I have found 3 different word docs involved in this campaign so far VirusTotal    each one has a different displays when opened & different macros & 2 of them contact different urls to download the payload.All 3 payloads are different sizes and different file hashes
Virustotal reports on Payloads   
Anyrun reports   
I am also seeing 2 different ransom note addresses today, so we possibly have 2 different affiliates involved in this campaign
http://gandcrabmfe6mnef.onion/5124d7737cd9e0e6 Main object- “Urgent notice.doc”
Dropped executable file
sha256 C:\windows\temp\putty.exe 07de185bb18610f471a31358c74c2e2da0dc505ade21cbe9cae5c8ba3fd66add
 Main object- “Notice (2).doc”
Dropped executable file
sha256 C:\windows\temp\putty.exe 5b13e0c41b955fdc7929e324357cd0583b7d92c8c2aedaf7930ff58ad3a00aed
 Main object- “Notice.doc”
Dropped executable file
sha256 C:\windows\temp\putty.exe 281972a2289e43f63cd4c00ce2b85c4a6cd7f95948cc9f656d4f7c2a59def40f