日本におけるC2サーバ調査(Week 33 2024)

はじめに

Censysを使い、C2とラベルされた日本のインフラストラクチャーを集計しました。
期間は8月12日から8月18日(午前中まで)です。
今週からpythia queryを作成しましたので、参考にしていただければと思います。
PYTHIAについては、下記リポジトリを参照してください。

github.com

Total period

8/12~8/18

Total number of c2 servers found

16IP

Daily tally of c2 servers found

Date Number of IPs
8/12 2
8/13 2
8/14 3
8/15 4
8/16 2
8/17 3
8/18 0

Type of C2 servers found

C2 Numbers
VIPER 3
Cobalt Strike 3
Viper/Asset Reconnaissance Lighthouse (ARL) 2
Supershell 2
ShadowPad 2
MooBot 1
LightSpy 1
Havoc 1
Brute Ratel C4 1

Aggregate Data

No Date IP Autonomous System Number Autonomous System Label Censys tag
1 8月12日 57[.]180[.]39[.]55 16509 AMAZON-02 MooBot
2 8月12日 172[.]105[.]209[.]68 63949 Akamai Connected Cloud Viper/Asset Reconnaissance Lighthouse (ARL)
3 8月13日 66[.]42[.]40[.]65 20473 AS-CHOOPA Cobalt Strike
4 8月13日 64[.]176[.]44[.]238 20473 AS-CHOOPA ShadowPad
5 8月14日 18[.]177[.]226[.]4 16509 AMAZON-02 Brute Ratel C4
6 8月14日 156[.]236[.]73[.]107 138152 YISU CLOUD LTD Fortra Cobalt Strike
7 8月14日 64[.]176[.]53[.]146 20473 AS-CHOOPA Supershell
8 8月15日 3[.]112[.]189[.]10 16509 AMAZON-02 VIPER
9 8月15日 45[.]32[.]61[.]100 20473 AS-CHOOPA Viper/Asset Reconnaissance Lighthouse (ARL)
10 8月15日 45[.]155[.]220[.]79 134835 Starry Network Limited LightSpy
11 8月15日 35[.]79[.]226[.]190 16509 AMAZON-02 Cobalt Strike
12 8月16日 167[.]179[.]103[.]75 20473 AS-CHOOPA ShadowPad
13 8月16日 45[.]192[.]178[.]207 137443 ChangLian Network Technology Co., Limited VIPER
14 8月17日 18[.]179[.]136[.]174 16509 AMAZON-02 VIPER
15 8月17日 3[.]112[.]247[.]238 16509 AMAZON-02 Supershell
16 8月17日 13[.]231[.]179[.]125 16509 AMAZON-02 Havoc

appendix pythia query

Find Supershell in Japan

title: Supershell Japan
id: pythia-b3ffbbdb-e673-4b09-b805-299695619932
status: stable
description: This query searches for supershells whose location is Japan.
references:
    - https://hunt.io/blog/uncovering-supershell-and-cobalt-strike-from-an-open-directory
tags:
    - supershell
author: disconinja,@momomopas
date: 2024/08/18
query:
    parameters:
        part1:
          http_title: ':"Supershell - 登录"'
        part2:
          http_body_hash: ':"6084d5352ce347a3f6b9f7b789acc8b422b748a0cd99549f2ea534e439b8999b"'
        part3:
          country_code: ':"JP"'
    condition: (part1 or part2) and part3
falsepositives:
    - shodan cannot be searched. 
    - To search by hunter, delete part2.
level: low

Find VIPER in Japan

title: VIPER Japan
id: pythia-2eda4ce3-c3f6-4325-bed7-bcaaa327492f
status: stable
description:  This query searches for VIPERs in Japan that use the default certificate.
references:
    - https://hunt.io/blog/into-the-vipers-nest-observations-from-hunts-scanning
tags:
    - supershell
author: disconinja,@momomopas
date: 2024/08/18
query:
    parameters:
        part1:
          tls_certificate_issuer_cn : ':"0d72da0c"'
        part2:
          tls_certificate_subject_cn: ':"d1d38ec9"'
        part3:
          country_code: ':"JP"'
        part4:
          http_title: ':"VIPER"'
    condition: (part1 or part2)  and part3 and part4
falsepositives:
    - shodan and binaryedge cannot be searched. Others are searchable.
level: low

Find ShadowPad in Japan

title: ShadowPad Japan
id: pythia-1cac6d4b-92fb-47cf-822a-541fff3e117b
status: stable
description:  This query searches for shadowpod in Japan that use the default certificate.
references:
    - https://bank-security.medium.com/the-evolution-of-shadowpad-infrastructure-187e7914c81f
tags:
    - ShadowPad
author: disconinja,@momomopas
date: 2024/08/18
query:
    parameters:
        part1:
          tls_certificate: ':"2b5e7b17fc6e684ff026df3241af4a651fc2b55ca62f8f1f7e34ac8303db9a31"'
        part2:
          country_code: ':"JP"'
    condition: part1 and part2
falsepositives:
    - hunter,binaryedge,zoomeye,shodan cannot be searched. Others are searchable.
level: low

Find LightSpy in Japan

title: LightSpy Japan
id: pythia-f3d6bf77-3c06-4b90-9385-ffece0d2fe14
status: stable
description:  This query searches for LightSpy in Japan that use the default certificate.
references:
    - https://hunt.io/blog/tracking-lightspy-certificates-as-windows-into-adversary-behavior
tags:
    - LightSpy
author: disconinja,@momomopas
date: 2024/08/18
query:
    parameters:
        part1:
          tls_certificate: ':"c0d4517e0727e94887d3b8a2c6c69938930995a8bcf37c9dafbd3a86b042417c"'
        part2:
          country_code: ':"JP"'
    condition: part1 and part2
falsepositives:
    - hunter,binaryedge,zoomeye,shodan cannot be searched. Others are searchable.
level: low

Find Brute Ratel C4 in Japan

title: Brute Ratel C4 Japan
id: f302c5ac-b014-4a18-bb0b-4185ceb22fd4
status: stable
description: This query searches for Brute Ratel C4 whose location is Japan.
references:
    - https://detect.fyi/hunting-malicious-infrastructure-using-jarm-and-http-response-bb4a039d4119
tags:
    - Brute Ratel C4
author: disconinja,@momomopas
date: 2024/08/18
query:
    parameters:
        part1:
          http_body_hash: ':"96d0095b3dba19672e50a7c9d75b9b76fe8cbcbd27b58d58d64669a097c56660"'
        part2:
          country_code: ':"JP"'
    condition: part1 and part2
falsepositives:
    -  zommeye,hunt,shodan,fofa cannot be searched.
level: low