Keypoints
- Investigation began from an initial indicator: the malicious domain treasurybanks[.]org used in ads targeting funds-recovery victims.
- Passive DNS (Validin) revealed recent resolutions to 47.90.170[.]226 and 91.195.240[.]123, with the former showing related subdomains (www, get, download, file).
- TLS certificate for treasurybanks[.]org contained hardcoded subdomains rather than a wildcard and was signed by GeoTrust/DigiCert with a not-before date in March 2024.
- Searcher pivoted on hardcoded subdomain patterns (www, file, get, download), certificate issuer (DigiCert/GeoTrust), and registration timeframe (Jan–Mar 2024) using Censys.
- Applying issuer and time filters in Censys reduced results to seven certificates (including maxrecovery[.]org and myfundsrecovery[.]org) that matched the original certificate structure.
- Validation via urlscan.io and a Validin bulk DNS review showed matching site structure and shared historic resolution to 91.195.240[.]123 and current resolution to Alibaba-owned IP ranges.
- Final high-confidence domains: treasurybanks[.]org, myfundsrecovery[.]org, maxrecovery[.]org, deptoftreasury[.]org, usdatarecovery[.]org; lower confidence: astrologytop[.]com.
MITRE Techniques
- [T1189] Drive-by Compromise – Using malicious ads to deliver malware or lure victims (‘malicious ads targeting users looking for funds recovery services’)
- [T1583] Acquire Infrastructure: Domains – Registration and use of multiple finance-themed domains to host malicious content (‘we will identify 6 malicious domains that are likely hosting MatanBuchus malware’)
- [T1588] Obtain Capabilities – Procuring TLS certificates from third-party providers (GeoTrust/DigiCert) to legitimize malicious domains (‘the certificate leverages GeoTrust and was registered on 2024-03-06’)
- [T1598] Phishing: Malicious Advertisements/Social Engineering – Leveraging ads and fraudulent recovery services to trick users into downloading malware (‘malicious ads targeting users looking for funds recovery services’)
- [T1592] Exfiltration Over Alternate Protocol – Use of multiple subdomains and hosting pivots to separate delivery infrastructure (implied through use of hardcoded subdomains and multiple domains in the same cluster) (‘these subdomains are hardcoded into the Certificate’)
Indicators of Compromise
- [Domain] Suspected malicious finance-themed domains – treasurybanks[.]org, maxrecovery[.]org, and 4 more similar domains
- [Subdomain] Hardcoded certificate subdomains observed – www.treasurybanks[.]org, download.treasurybanks[.]org (same pattern found across other domains)
- [IP Address] Historical resolutions linking domains – 47.90.170[.]226, 91.195.240[.]123
- [Certificate Issuer] TLS certificate provider used by cluster – GeoTrust / DigiCert (certificates registered March 2024)
- [Registration Date] Certificate / domain registration timeframe – March 2024 (used to filter Censys results)
To locate related malicious infrastructure, the analyst started from treasurybanks[.]org and used passive DNS (Validin) to enumerate historical A records, finding recent resolutions to 47.90.170[.]226 and 91.195.240[.]123. The first IP returned a set of recent subdomains (www, get, download, file) tied to the same domain. When historical IP pivots yielded little, the investigator examined the TLS certificate history and discovered the certificate contained hardcoded subdomain names (not a wildcard) and was signed by GeoTrust/DigiCert with a not-before date in early March 2024 — details used as new pivot points.
Using those pivots, the analyst queried Censys for certificates that included the hardcoded subdomain patterns (file*, get*, download*, www*) and filtered results to the certificate issuer (DigiCert/GeoTrust) and a validity start range in 2024. This reduced the candidate set from hundreds to seven certificates. Two of the clear matches identified were maxrecovery[.]org and myfundsrecovery[.]org; all matches shared the same subdomain structure and registration timeframe.
Finally, the investigator validated findings with urlscan.io (to compare site structure and screenshots) and a Validin bulk domain history lookup. These checks showed consistent site layouts and historical resolution overlap (many to 91.195.240[.]123) and current resolution to Alibaba-owned IP ranges, supporting a cluster of finance-themed domains likely used to distribute MatanBuchus. Final high-confidence domains: treasurybanks[.]org, myfundsrecovery[.]org, maxrecovery[.]org, deptoftreasury[.]org, usdatarecovery[.]org; lower confidence: astrologytop[.]com.
Read more: https://www.embeeresearch.io/tls-certificates-for-threat-intel-dns/