Five practical examples that any analyst can use to uncover malicious infrastructure with Passive DNS

Introduction

Passive DNS is a powerful tool that enables analysts to discover infrastructure through patterns contained in DNS records. Since DNS includes information on IP addresses (via A records) and Name Servers, we can use these to look for commonalities where similar records have been re-used and shared.

You’d be surprised just how much you can find with Passive DNS, so today, we’re exploring five practical examples that any analyst can use to uncover malicious infrastructure with Passive DNS.

What Is Passive DNS?

Passive DNS is effectively a database of DNS “snapshots” over time. This allows an analyst to observe domain records (such as associated network infrastructure) and compare them to where the record has pointed before.

With billions of records in a single database, an analyst can pivot and “reverse” search discovered values. This data allows for easily discovering records sharing the same values and infrastructure.

Rebuilding a Coyote Trojan C2 List With Passive DNS Records

Consider the domain cloridatosys[.]com, initially published in a BlackBerry report and linked to the Coyote banking trojan.

The end of the report contains 18 domains related to Coyote. A small subset is shown below.

Coyote C2s published by BlackBerry provide starting points.

Coyote C2s published by BlackBerry provide starting points.

As an exercise, let’s see if we can take any of these domains individually and then discover the remainder of the list using Passive DNS records.

Let’s start with cloridatosys[.]com.

Searching the domain and browsing the resolutions tab reveal DNS snapshots stored in the Validin database. For our searched domain, there are two NS (Name Server) records, two A (IPv4) records, and one NX record. These records represent changes to the domain’s DNS records over time, shown in the First and Last Seen columns on the right-hand side.

Passive DNS from Validin shows the A and NS records for the Coyote domain.

Passive DNS from Validin shows the A and NS records for the Coyote domain.

If we observe closely, we can see that the most recent associated IP address is 20.201.119[.]204. The domain first used this IP on 2023-12-20 and is still active as of July 2024.

The power of passive DNS is to discover other domain records associated with the same IPV4 values. This method is a quick and effective way of finding related infrastructure, as domains that have used the same IP address are likely related to the same activity.

Pivot through Passive DNS in Validin by clicking one of the results.

Pivot through Passive DNS in Validin by clicking one of the results.

To pivot on that resolved IP of  20.201.119[.]204, we can click the IP address directly or copy and paste it into the search bar. This pivot will enable us to see all domains that have shared the same IP address in their DNS records.

Searching for 20.201.119[.]204 and browsing the Resolutions tab reveals 48 domains using the IP.

Result of passive DNS pivot shows 48 domains have used this IP.

Result of passive DNS pivot shows 48 domains have used this IP.

There are a few too many to fit into a single screenshot, but if we compare just a subset of the results against those shared by BlackBerry, we can see that we have discovered a large number of the same domains.

Matching the domains in Validin PDNS history to the domains from the original malware report.

Matching the domains in Validin PDNS history to the domains from the original malware report.

Exporting and comparing the domains from both Validin and BlackBerry, we can see that this single pivot has captured all 18 domains shared in the BlackBerry report.

Comparing the domains from the report with the Validin results shows complete overlap.

Comparing the domains from the report with the Validin results shows complete overlap.

Calculating the difference between the two lists of domains, we can see that this simple pivot has discovered 30 additional domains sharing the same IP infrastructure.

Now, it is likely that these are not all linked to Coyote, but it’s interesting to note that the infrastructure is shared and that our search has returned all values shared in the Blackberry report.

Although these additional results may not all be Coyote, all of these domains could be added to a monitoring or block list.

Passive DNS history reveals 30 more domains that were not in the original report.

Passive DNS history reveals 30 more domains that were not in the original report.

Identifying EugenLoader With Passive DNS Pivots

Let’s look at some domains shared on ThreatFox that are marked as EugenLoader.

EugenLoader indicators on ThreatFox.

EugenLoader indicators on ThreatFox.

Like our Coyote example, we can take any domains above and use passive DNS records to find related infrastructure.

Searching for protonpin[.]com shows 4 associated Nameservers and one associated IPV4 address of 206.206.123[.]151.

DNS history for one of the EugenLoader domain names.

DNS history for one of the EugenLoader domain names.

We can click on the IP 206.206.123[.]151 directly to perform a pivot and see domains that have shared the same IP value.

Pivoting on IP to see domains that have shared this IP.

Pivoting on IP to see domains that have shared this IP.

This simple pivot reveals multiple domains in the initial intelligence from ThreatFox.

Comparing DNS history on the IP pivot with the original report shows strong overlap.

Comparing DNS history on the IP pivot with the original report shows strong overlap.

By expanding the results and enabling the Timeline, we can observe many other domains shared on ThreatFox.

Timeline view of PDNS history shows many domains from ThreatFox and their temporal relationships.

Timeline view of PDNS history shows many domains from ThreatFox and their temporal relationships.

Identifying Xworm with Passive DNS Pivots

Let’s look at the domain aprilxrwonew8450.duckdns[.]org, which was initially shared on ThreatFox and linked to Xworm malware.

Xworm is a simple Remote Access Trojan (RAT) written in .NET that is commonly used to steal cryptocurrency accounts.

ThreatFox shows details about this domain name indicator for XWorm.

ThreatFox shows details about this domain name indicator for XWorm.

Searching the domain with Validin, we can observe three distinct A records containing IPV4 addresses used by the Xworm domain.

Viewing DNS history for this XWorm indicator.

Viewing DNS history for this XWorm indicator.

Pivoting on the A record containing 12.221.146[.]138, we can see the initial domain and dozens of other similarly named domains referencing monthly variants of Xworm infrastructure.

Pivoting on one XWorm IP, we find other XWorm-associated domains that have used that IP.

Pivoting on one XWorm IP, we find other XWorm-associated domains that have used that IP.

Pivoting on another A record 134.255.217[.]251, we can see another two domains. These domains no longer reference Xworm specifically, but the usage of duckdns and random naming schemes show substantial similarity.

Another IPv4 pivot shows additional XWorm-associated domains.

Another IPv4 pivot shows additional XWorm-associated domains.

All domains discovered through pivoting like this could be added to a block or alert list and monitored closely. The shared naming schemes and network infrastructure strongly suggest that they are related to malicious activity.

Identifying DCRat Through Subdomain Records

Let’s now look at the domain 640740cm.nyashka[.]top, shared on ThreatFox and linked to DCRat Malware. Dcrat (also known as Dark Crystal Rat) is a simple Remote Access Trojan (RAT) that commonly operates under a low-cost Malware-As-A-Service model.

ThreatFox IOC entry for a DCRAT URL indicator.

ThreatFox IOC entry for a DCRAT URL indicator.

Searching for this domain in Validin, we can observe ten historical records, all utilizing Cloudflare.

Unfortunately, this limits our pivoting capability on the A records alone, as a CloudFlare IP is often shared between thousands of customers simultaneously, resulting in thousands of “related” domains if we use the same techniques shown in previous examples.

DNS history for a DCRAT domain shows Cloudflare usage.

DNS history for a DCRAT domain shows Cloudflare usage.

Instead of trying to analyze the CloudFlare IPV4 addresses, we can attempt a pivot on the parent domain.

Parent domains often receive less protection than their subdomain counterparts, so this pivot may lead to more easily analyzed indicators. We can pivot by clicking on the parent domain above our tab menu.

Pivoting using the parent domain for DCRat.

Pivoting using the parent domain for DCRat.

Pivoting reveals that the parent domain of nyashka[.]top is also utilizing Cloudflare for all observed records. So our IPv4 options are limited and we may need to look for other pivot points.

Historical DNS results for the parent domain also shows Cloudflare history.

Historical DNS results for the parent domain also shows Cloudflare history.

Validin’s Passive DNS records contain detailed information about linked subdomains. By browsing the Subdomains tab for nyashka[.]top, we can observe subdomains that have been observed via DNS records.

This tab shows that 12 domains have been observed under nyashka[.]top, each with near identical naming schemes to our initial indicator 640740cm.nyashka[.]top.

Showing subdomains for the parent domain.

Showing subdomains for the parent domain.

We’ve now discovered 12 domains that are very likely to be related to our initial indicator.

As always, these indicators (with their strong similarity) could all be added to alert or block lists.

Hunting Mint Stealer Through HTML Titles

This technique isn’t strictly passive DNS, but it’s a valuable hunting feature supported by Validin that can lead to new infrastructure.

Let’s take the domain mint-stealer[.]top, initially shared on ThreatFox and linked to Mint Stealer malware.

An indicator for Mint Stealer on ThreatFox.

An indicator for Mint Stealer on ThreatFox.

Searching this domain on Validin, we encounter a passive DNS history with heavy utilization of Cloudflare.

As reported earlier, this complicates our pivots on A/IPv4 records alone.

DNS history for the Mint Stealer indicator.

DNS history for the Mint Stealer indicator.

Instead of relying strictly on Passive DNS, we can move to the Host Responses tab. This will show us any web-related data related to the domain, and can provide a collection of unique values to pivot from.

The Host Responses Tab shows a distinct and unique HTML title referencing Mint Stealer. This value is unique enough (directly referencing the Malware) to be used as a pivot point.

Host response details for the Mint Stealer domain shows pivotable title tags.

Host response details for the Mint Stealer domain shows pivotable title tags.

We can pivot on the HTML title by clicking its value directly.

We can then browse the Host Responses tab, which immediately reveals a new domain and IP address using the same HTML Title.

Results after pivoting on the HTML title tag for a known Mint Stealer domain.

Results after pivoting on the HTML title tag for a known Mint Stealer domain.

In cases where infrastructure is protected by commercial solutions such as Cloudflare, web-related data can instead be a valuable pivot point.

Conclusion

Passive DNS is a powerful tool that an analyst can utilize to uncover malicious infrastructure.

As shown today, Passive DNS doesn’t need to be complex. Many pivot points take only a few clicks to discover new domains and IOCs.

Validin provides Passive DNS capability in an intuitive and straightforward interface that any analyst can immediately use and benefit from.

Try it out for yourself with our Community Edition or contact us to learn how Validin can support cyber security for your organization.