Threat Research

Tracking Malicious Infrastructure With DNS Records – Vultur Banking Trojan

admin

The post uses passive DNS (via Validin) to pivot from Fox-IT’s reported dropper distribution URLs, identifying a common historical IP and a “mcafee” subdomain naming pattern that revealed 13 previously undocumented Vultur domains. The analysis highlights how actors adjusted their domain naming (adding hyphens and extra numeric segments) and shows how filtering on shared infrastructure and subdomain patterns can expand detection. #Vultur #mcafee

Keypoints

  • Started from Fox-IT dropper distribution URLs and performed passive DNS bulk lookups to gather historical IPs.
  • Identified a common historical IP (82.221.136[.]47) across several reported domains and used it as an initial pivot.
  • Filtered the large domain set by the “mcafee” subdomain, reducing >5000 results to 24 candidate domains.
  • Observed a naming-scheme change (added hyphens and extra numeric segments) used by the actor to vary domains.
  • Using these pivots and patterns, investigators discovered 13 additional domains on the same infrastructure not in the initial report.
  • Analysis used Validin for passive DNS queries and suggests further searching would likely reveal more domains.

MITRE Techniques

  • [T1566] Phishing – Vultur distribution appears to use dropper URLs and deceptive distribution methods (‘Vultur likely utilizes phishing methods, including misleading dropper URLs to distribute the trojan.’)
  • [T1195.002] Supply Chain Compromise: Compromise Software Supply Chain – Possible distribution via manipulated legitimate software/downloads (‘This could be inferred if the trojan was distributed through manipulated legitimate software updates or downloads.’)
  • [T1071.001] Application Layer Protocol: Web Protocols – C2 and distribution use HTTP/HTTPS through the identified domains (‘Using HTTP/HTTPS for command and control activities through the identified domains.’)
  • [T1568.002] Dynamic Resolution: Domain Generation Algorithms – Actor varies domain names and naming schemes to evade blacklists (‘Potential use of dynamically generated domains to avoid blacklist-based blocking and takedown.’)
  • [T1083] File and Directory Discovery – Malware likely performs local reconnaissance for files of interest on compromised hosts (‘Vultur might perform reconnaissance to find files of interest on compromised machines.’)
  • [T1113] Screen Capture – Banking-trojan behavior includes capturing screens to steal banking information (‘As a banking trojan, capturing the screen to intercept sensitive banking information.’)
  • [T1056.001] Input Capture: Keylogging – Keylogging to collect credentials is indicated (‘Capturing keystrokes to collect credentials and other valuable information.’)
  • [T1041] Exfiltration Over C2 Channel – Stolen data is sent back to C2 servers via established channels (‘Sending stolen data to a command and control server via established communication channels.’)

Indicators of Compromise

  • [Domain] Reported and newly discovered Vultur distribution domains – mcafee.0041-3413[.]com, mcafee.5832-3414[.]com, and 11 more domains
  • [IP Address] Historical hosting/pivot IP – 82.221.136[.]47 (common historical resolver for several reported domains)
  • [URL] Initial intelligence and dropper references – https://blog.fox-it.com/2024/03/28/android-malware-vultur-expands-its-wingspan/?ref=embeeresearch.io
  • [URL] Investigation/source summary – https://www.embeeresearch.io/infrastructure-tracking-locating-vultur-domains-with-passive-dns

To track Vultur-related infrastructure, perform bulk passive-DNS lookups on known dropper distribution URLs to collect historical A records and identify shared IPs. In this case, several reported domains resolved historically to 82.221.136[.]47; while that IP hosts thousands of domains (likely shared infrastructure), it provided a pivot to focus on related domains.

Next, apply string-based filters (for example, the observed “mcafee” subdomain) across domains associated with the pivot IPs to narrow candidates — this reduced >5000 domains to 24. Inspect naming patterns (numeric segments, hyphens, and repeated structures) and repeat the process across other historical IPs to discover domains that follow the same schema; using this method the investigator identified 13 additional domains not in the original report.

Tools used: Validin for passive DNS bulk lookups and pivoting; start from vendor reports (Fox-IT) for initial dropper URLs, pivot on shared historical IPs and subdomain patterns, and iterate across historical records to expand the domain list. Repeat checks on other IPs and domain histories to locate further related infrastructure.

Read more: https://www.embeeresearch.io/infrastructure-tracking-locating-vultur-domains-with-passive-dns

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint