Recently, we have an incident where suspicious traffic was observed related to external C2. Initial finding found that this IP 172.241.27.17 (172.241.24.0/21) resolved to
atakai[-]technologies[.]host; according to pDNS in Virustotal [1].
So, further digging on this IP found it has port 50050 open. Based on Recorded Future threat analysis report & Cobalt Strike Team Server Population Study, it mentioned that default port for Cobalt Strike controller is on port 50050.
So, I asked to myself. What if the neighboring IPs were also been setup for Cobalt Strike infrastructure? So I decided to go on this journey…
First, we know that the IP range is 172.241.24.0/21. By using this tool, we can convert CIDR notation to a range of IP addresses.
The result, we have 2048 addresses; IP address range between 172.241.24.0-172.241.31.255.
Next, we using online tool named Reverse IP & DNS API from WhoisXML API. Function of this tools is to reveals all domains that share an IP address. Example as below:
To use this tools, we need to buy credit to leverage its API. As for free account, you only have 100 credit to be use on Domain Research Suite tools. But on this case, we need around 2050 credit. Based on their website, 1000 DRS credits = $19.00. So.. yeah..
After you have enough credit, you can use the script as below:
#!/bin/bash url="https://reverse-ip.whoisxmlapi.com/api/v1?apiKey=whoisxml_apikey&ip=" for i in $(cat ip.txt); do content="$(curl -s "$url$i")" echo "$content" >> output.txt done
Remember to put your API key into the script. It will basically produce result into “output.txt“.
After that, import you result into Excel. Then, we sort and select possible domains from the output based on domain naming convention; e.g. atakai, amatai, amamai:
Now we have possible suspected IPs & domains. To further digging, we’ll leverage Shodan.io to see what are the open port available for those IPs.
To use it, we’ll using script as below:
$ curl -s https://api.shodan.io/shodan/host/{172.241.27.17,172.241.27.44,172.241.27.62,172.241.27.65,172.241.27.66,172.241.27.68,172.241.27.72,172.241.27.225,172.241.29.155,172.241.29.156,172.241.29.157}?key=shodan_apikey | jq -r '. | "IP: \(.ip_str) Ports: \(.ports)"'
The output should be like this:
Now we know 7/11 (no pun intended) IPs been observed by Shodan having port 50050 opened. This indicate that this set of IPs possibly used part of Cobalt Strike infra.
Next step is we can search for date registration for each domain from Whois data. But I’m too lazy to continue this. Also I’ve encountered where several Whois provider giving different info regarding of domain registration date. So yeah, maybe I’ll update next time when I’m free 😉