Leveraging ASNs and Pivoting to Uncover Malware Campaigns

Identifying and Mitigating Complex Malware Campaigns with ASNs

This week, I spent a good deal of time going down some rabbit holes - all of which were fascinating. However, this is an example where some of the work we do we would like to share but aren't always able. In this instance, we found confidential information related to a hacked mail server within malware we detonated. The malware was configured to use a government mail server as a relay to email out keylogger data.

In each case of the malware, there were essentially two victims, the victim(s) of the malware, and the operators of the mail server being used in the attacks. We've notified the department that manages the mail server of the compromise, and of the credentials used to send mail with their server.

This brings me to the "how" of it all. Cyber threat intelligence (CTI) experts and investigators face the daunting challenge of identifying and mitigating complex malware campaigns. These campaigns, orchestrated by sophisticated threat actors, often leverage diverse infrastructure and techniques to evade detection and compromise targets.

In this blog, we'll explore in detail how CTI experts can harness the power of Autonomous System Numbers (ASNs) and employ pivoting techniques to uncover and analyze malware campaigns. By understanding the nuances of ASNs and mastering effective pivoting strategies, CTI professionals can enhance their capabilities in threat detection, attribution, and response.

Understanding ASNs

Autonomous System Numbers (ASNs) serve as unique identifiers assigned to networks participating in the global routing system. Each ASN corresponds to an organization or entity that controls a portion of the internet's IP address space. By analyzing ASNs, CTI experts can gain valuable insights into the infrastructure utilized by threat actors to conduct malicious activities.

These insights include identifying the origins of malicious traffic, pinpointing hosting providers associated with malware distribution, and tracing connections between seemingly disparate cyber threats.

Pivoting with ASNs

Pivoting is a fundamental investigative technique that involves using known information or indicators of compromise (IOCs) as a starting point to uncover additional related data and connections. When investigating malware campaigns, CTI experts can pivot using ASNs to expand their understanding of the threat landscape and uncover hidden relationships.

Here's a step-by-step breakdown of how pivoting with ASNs can be accomplished:

1. Initial Investigation: The process begins with collecting IOCs such as IP addresses, domain names, file hashes, and other artifacts associated with a suspected malware campaign. These IOCs serve as the starting point for the investigation.

2. ASN Enumeration: CTI experts utilize specialized tools, databases, and techniques to map the collected IP addresses to their corresponding ASNs. This mapping provides crucial insights into the ownership and affiliations of the networks involved in the malware campaign.

3. ASNs Analysis: Once the ASNs associated with the collected IOCs are identified, CTI professionals conduct a detailed analysis to uncover patterns, anomalies, and potential relationships between different malware campaigns. They look for commonalities such as shared infrastructure or hosting providers used by multiple threats.

4. Expand Investigation: Armed with insights from the ASNs analysis, CTI experts pivot further to gather additional IOCs associated with the same ASNs. This may involve exploring related IP ranges, domains hosted on the same infrastructure, or other ASNs controlled by the same organization.

5. Threat Attribution: The final step involves analyzing the gathered data to attribute the malware campaigns to specific threat actors or groups. By tracing connections between different ASNs and malware activities, CTI experts can uncover the broader infrastructure and operations of malicious actors.

Using ASNs to Uncover a Malware Campaign

To illustrate the effectiveness of this approach, let's consider a hypothetical scenario where a CTI team investigates a ransomware campaign targeting a financial institution. By analyzing the ransomware samples and associated IOCs, the team identifies several IP addresses used as command and control (C2) servers.

Through ASN enumeration and analysis, they discover that these IP addresses belong to a hosting provider known for harboring malicious activities. Pivoting with the identified ASN leads them to uncover additional C2 servers, domains, and IP ranges used by the same threat actor across multiple campaigns. This comprehensive view enables the CTI team to attribute the ransomware campaign to a sophisticated cybercriminal group and take proactive measures to disrupt their operations.

Read: How HYAS Insight Threat Intelligence Platform Uncovered and Mitigated a Russian-Based Cyber Attack

Conclusion

In conclusion, the strategic utilization of ASNs and pivoting techniques with HYAS Insight threat intelligence is indispensable for CTI experts and investigators in their efforts to combat malware campaigns. By leveraging ASNs to trace connections and employing pivoting to uncover hidden relationships, CTI professionals can gain deeper insights into the tactics, techniques, and procedures (TTPs) employed by threat actors.

This enhanced understanding enables organizations to better protect their assets, mitigate risks, and respond effectively to evolving cyber threats. With a proactive and strategic approach to threat intelligence, CTI experts can stay ahead of adversaries and safeguard the digital ecosystem against malicious activities.


Is your security program prepared to defend against advanced malware and other sophisticated cyberthreats? Learn how HYAS can optimize your defenses.  Request a HYAS demo today.