Keypoints
- Initial IoCs: Bitdefender and SentinelOne published 11 macOS backdoor IoCs (seven for RustDoor: five domains, two IPs; four IPs for KandyKorn).
- WHOIS and historical WHOIS searches for RustDoor IoCs yielded 10 historical email addresses and five email-connected domains (three referencing Find My-related strings).
- DNS lookups for RustDoor IoCs produced four additional IPs; one of those (85[.]187[.]128[.]40) was tied to phishing via threat intel lookup.
- Reverse IP lookups for KandyKorn IoCs returned 28 IP-connected domains, all flagged as malware hosts by threat intelligence.
- String-based discovery using domain tokens found 72 string-connected domains and 785 newly created iCloud-containing domains since 2024, eight of which were associated with phishing or other threats.
- Overall expansion from 11 starting IoCs uncovered 109 potentially related artifacts (email-connected domains, additional IPs, IP-connected and string-connected domains), with 29 confirmed malicious or phishing-associated.
MITRE Techniques
- [T1583.001] Acquire Infrastructure: Domain – Attackers registered and used multiple domains to host or distribute backdoors; ‘two domain IoCs contained macOS- and iCloud-related text strings—maconlineoffice[.]com and serviceicloud[.]com’
- [T1592] Search Open Websites/Domains – Researchers used WHOIS and Reverse WHOIS to expand from known domains to related registrations and emails; ‘we performed an expansion analysis beginning with WHOIS History API searches for the five domain names…discovery of 10 email addresses’
- [T1596] Search Open Technical Databases – Threat intelligence and IP geolocation lookups were used to classify hosts and reveal phishing associations; ‘Threat Intelligence Lookup revealed that one of the additional IP addresses—85[.]187[.]128[.]40—was associated with phishing’
- [T1566] Phishing – Infrastructure was used or associated with phishing activity to lure macOS users into installing malicious payloads; ‘Threat Intelligence API also revealed that eight of the icloud-containing domains were associated with phishing’
- [T1036] Masquerading – Domains contained legitimate-service strings to impersonate macOS/Apple services and Microsoft Office for Mac as social-engineering lures; ‘maconlineoffice[.]com and serviceicloud[.]com…could indicate attempts to legitimize their campaign’
Indicators of Compromise
- [Domain] RustDoor and related discovery – maconlineoffice[.]com, serviceicloud[.]com, and 72 additional string-connected domains
- [Domain] Email-connected domains (from WHOIS history) – findmy-inc[.]us, findmy-lcloud[.]us, findmyapp-location[.]us, and 2 more email-associated domains
- [IP address] RustDoor/KandyKorn hosts and additions – 85[.]187[.]128[.]40 (phishing-associated), plus other IoC IPs and 4 additional IPs found via DNS lookups
- [IP-connected domains] KandyKorn reverse-IP expansion – 28 IP-connected domains (all flagged as malware hosts)
- [Other artifacts] Large set of iCloud-related registrations – 785 icloud-containing domains created since 2024, eight of which were linked to phishing or generic threats
Researchers began with 11 published IoCs and focused technical enumeration on DNS, WHOIS, and threat-intel sources to map likely associated infrastructure. Steps included bulk WHOIS queries and WHOIS history lookups to extract registrant emails and registrars, Reverse WHOIS searches to find email-connected domains, DNS resolution to reveal additional IP addresses, IP geolocation and ISP attribution to contextualize hosting, reverse IP lookups to gather IP-connected domains, and Domains & Subdomains string searches (using tokens like “icloud”) to discover string-connected domains. Threat intelligence queries were used at multiple points to flag malicious hosts and phishing associations (e.g., 85[.]187[.]128[.]40 marked for phishing).
The iterative expansion workflow produced 109 candidate artifacts: five email-connected domains, four additional IP addresses, 28 IP-connected domains (all flagged as malware for the KandyKorn cluster), and 72 string-connected domains for RustDoor, with 29 properties confirmed malicious or phishing-related. The analysis highlights common operational patterns—use of impersonation strings to social-engineer macOS users, registrar diversity, and reuse of hosting/IP resources—that can be triaged via combined WHOIS/DNS/reverse-IP and threat-intel correlation to prioritize takedown or further investigation.
For replication: start from known IoCs, run WHOIS/WHOIS History to extract emails and registrar metadata, perform Reverse WHOIS on public registrant emails to find related domains, resolve domains to discover associated IPs, do reverse-IP to enumerate co-hosted domains, run Domains & Subdomains Discovery with relevant token strings, and enrich all findings with IP geolocation and threat-intel feeds to identify phishing/malware classifications before tagging and actioning suspicious entries.
Read more: https://circleid.com/posts/20240402-on-the-dns-trail-of-the-rise-of-macos-backdoors