November 23rd, 2020

Unraveling the TrickBot Ransomware Threat with UltraThreat Feeds Data

Everything on the Internet – good and bad – leaves tracks in DNS data.

I know, a blinding glimpse of the obvious. But that obvious statement explains why security professionals knew DNS data could provide important threat insights – long before they could isolate those insights in a useful time frame from billions of daily data queries.

Now, Neustar UltraThreat Feeds delivers DNS-derived threat insights in near real time, by leveraging sophisticated machine learning algorithms driven by artificial intelligence.

Security-conscious enterprises around the world rely on the actionable data in these feeds for important, timely insights into a range of serious threats, including:

Gaining actionable insights into timely threats from DNS data is an undeniable breakthrough for security professionals. Yet it is still just one aspect of the myriad ways security investigators can leverage DNS data to uncover important insights.

A recent alert from CISA (Cybersecurity and Infrastructure Security Agency) called attention to a surge in ransomware attacks against healthcare organizations, with many of the attackers utilizing TrickBot malware as a vehicle.

We wanted to demonstrate how investigators could use UltraThreat Feeds data as well as the DNS data underlying them to uncover useful insights into the domains associated with TrickBot.

For this demonstration, we focused on a single domain, one of the 367 domains (along with 768 IP addresses) associated with TrickBot that we gathered from open sources. However, if you were to see suspicious activity associated with a domain in your own network log, you could conduct the same kind of investigation.

We started by looking for historical data regarding activity associated with the domain – specifically when it was seen in our Newly Observed Domains UltraThreat Feed, which includes newly activated first level, second level and fully qualified domains. We found that it appeared five times during the year:

Domain Timestamp – Newly Observed Domains Feed
Example.com January 2, 2020, 1:00 pm
March 31, 2020, 12:30 pm
May 7, 2020, 10:00 am
August 8, 2020, 2:34 pm
October 27, 2020, 5:00 pm

This is commonly observed behavior for malicious sites, which are set up by cybercriminals then left dormant for long periods of time with just occasional visits, perhaps to wait until malware has been inserted into a targeted network or infrastructure.

Now, imagine if you had observed unusual activities in our network log around the time of March 31 and August 8. We could then query our UltraThreat Feeds data to gain more insights about the domain, such as any changes or alterations, during these two periods of interest. We decided to examine:

  • Counts of the content of the domain, including host IPs, sub domains and name servers, for a seven-day period after its appearance
  • Counts of the activity of the domain, including stub IP, recursive IP and NX stub IP, for the same period.
start end cnt-hostIP cnt-subdomain cnt-ns cnt-rcrsv cnt-stub cnt-nxstub
1/2/20 13:00 1/9/20 13:00 5 1 8 101 25917 3465
3/31/20 12:30 4/7/20 12:30 5 1 8 81 52079 3108
5/7/20 10:00 5/14/20 10:00 5 1 8 118 56465 3476
8/8/20 14:34 8/15/20 14:34 4 1 8 170 52127 2507
10/27/20 17:00 11/3/20 17:00 6 1 8 119 54622 2580

The highlighted entries show results of particular interest. The change in the count of host IPs between March 31 and August 8 could suggest a change in the domain infrastructure. Similarly, the significant differences in the number of recursive queries raise questions – and suspicions.

At this point, we have already uncovered enough questionable information to put this domain on a watch list, if not block it outright.

But we could also investigate further by looking at the IP addresses associated with the domain, to learn how many other domains are hosted on each IP, and the count of activity on the IP, including recursive, stub and nonexistent domains.

IP cnt-hostdn cnt-rcrsvdn cnt-stbdn cnt-nonxd
185.99.xx.xx 2 3 2 0
213.252.xx.xxx 1 7 10 2
103.221.xx.xx 0 0 0 0
51.89.x.xx 0 0 0 0
45.147.xx.xx 4 3 0 1

While there is no activity, three of the IP addresses host at least one additional domain, which we could then investigate as we did with the original domain.

Moreover, we could gain further insights into the hosting IPs by using additional security data resources available from Neustar:

  • We could access UltraReputation data for each IP address, including risk scoring that provides crucial insights into the likelihood that the IP is being used for malicious purposes
  • We could also tap UltraGeoPoint data to learn relevant network information about the hosting IP such as ASN, state/country of origin and so on

These additional insights could help a security team better understand the actual level of risk associated with the domain and its IP infrastructure – and uncover previously unknown domains that presents similar degree of risk.

This small sample investigation into one potentially malicious domain demonstrates how threat investigators can leverage Neustar’s DNS-derived UltraThreat Feed data, along with our IP data resources, to help understand threats and better protect digital resources.

If you would like to learn more how these data resources could help your security team and your business, please reach out. We’ve be happy to continue this discussion.

Let's Connect

Learn How Your Company Can Benefit from the Power of Trusted Connections.

Contact Us   Give us a call 1-855-898-0036