Keypoints
- Distribution method: TimbreStealer was spread via finance-themed phishing (fake invoices and CDFI-style emails) targeting Mexico.
- Initial IoCs published by Cisco Talos included 4 domains, 24 IP addresses, and 124 subdomains; researchers expanded this to over 19,000 related artifacts.
- Bulk WHOIS on 38 domains showed registrations concentrated at NameSilo LLC and Namecheap, with most domains created in 2023–2024.
- IP geolocation found the 24 Talos-tagged IPs in the U.S. under DigitalOcean; DNS lookups added 11 more IPs managed across multiple ISPs (Cloudflare, DigitalOcean, UpCloud, etc.).
- DNS/string analysis revealed DGA-like subdomains using Spanish invoice-related strings (e.g., auditoria, comprobante, factura), yielding 18,798 matching subdomains and 452 string-connected domains.
- Threat Intelligence linked several discovered IPs and string-connected resources to phishing, malware, and C2 activity (examples included 172[.]67[.]164[.]129 and 91[.]195[.]240[.]12).
- The campaign applied geofencing to restrict access to malicious PDFs to users located in Mexico, limiting external screenshot/interaction evidence.
MITRE Techniques
- [T1566] Phishing – Use of “finance-themed phishing emails to lure victims in, including generic fake invoices and those imitating invoices from Comprobante Fiscal Digital por Internet (CDFI)”
- [T1027] Obfuscated Files or Information – Use of “obfuscation techniques to bypass monitoring and enable persistent presence in victims’ devices”
- [T1547] Boot or Logon Autostart Execution – Goal to “enable persistent presence in victims’ devices” indicating persistence mechanisms were employed
- [T1071] Application Layer Protocol – Use of DNS and HTTP-based infrastructure for C2 and payload delivery shown by “DNS lookups” and web-hosted PDF resources tied to IoCs
- [T1483] Domain Generation Algorithms – Discovery of “seemingly domain generation algorithm (DGA)-created subdomains” using repeated Spanish invoice-related strings followed by digits
Indicators of Compromise
- [IP addresses] Talos and expanded infrastructure – 172[.]67[.]164[.]129, 91[.]195[.]240[.]12 (examples; 24 initial IoCs plus 11 additional IPs discovered)
- [Domains] Example malicious/string-connected domains – folio0939393[.]onlinerd[.]repl[.]co, comprobante20234[.]isa-geek[.]com (plus 4 initial domain IoCs and 452 string-connected domains)
- [Subdomains] DGA-like subdomains and hosted PDFs – pdf0977601[.]s3[.]us-west-004[.]backblazeb2[.]com, pdf9877221[.]s3[.]us-west-004[.]backblazeb2[.]com (18,798 string-connected subdomains found)
- [Email addresses] WHOIS registration emails used to link infrastructure – 12 public emails in historical WHOIS records (one email registered 695 domains and was filtered as a domainer)
Our technical procedure began with the four domains, 24 IP addresses, and 124 subdomains published as TimbreStealer IoCs. We performed bulk WHOIS lookups on 38 domains (the four IoCs plus 34 root domains extracted from Talos’ subdomains) to profile registrars, registration dates, and registrant countries; this revealed heavy use of NameSilo LLC and Namecheap, domain creation concentrated in 2022–2024, and registration footprints mainly in the U.S. and Iceland. Parallel bulk IP geolocation for the 24 Talos IPs showed all were geolocated in the U.S. and managed by DigitalOcean, prompting further DNS and reverse-IP correlation.
Next, WHOIS History and Reverse WHOIS searches for the domain IoCs uncovered 52 historical WHOIS email addresses (12 public); after excluding one domainer email used across 695 domains we compiled 111 email-connected domains. DNS lookups of the 4 domains and 124 subdomains resolved 11 additional IP addresses (bringing the total to 35), which, when subjected to geolocation and Threat Intelligence lookups, showed distribution across multiple ISPs (Cloudflare, DigitalOcean, UpCloud, Amazon, etc.) and associated threat labels including phishing, malware, and C2 for several IPs (e.g., 172[.]67[.]164[.]129; 91[.]195[.]240[.]12).
Finally, we analyzed string usage and subdomain patterns: ten recurring text strings (eight Spanish invoice-related and two tech terms) followed by digits suggested DGA-like generation across 34 root domains. Using Domains & Subdomains Discovery and string-based searches from 2023-01-01 to 2024-03-04, we enumerated 18,798 matching subdomains and 452 string-connected domains, and linked several specific web resources hosting malicious PDFs or phishing pages. These combined WHOIS, DNS, reverse-IP, and threat-intel steps produced a consolidated artifact set useful for broader detection and takedown efforts.
Read more: https://circleid.com/posts/20240421-hunting-for-timbrestealer-malware-artifacts-in-the-dns