The report regarding the cybercrime activities conducted by threat actors through the SandiFlux fastflux botnet in the middle of 2019! We have tracked different malware campaigns including (i) attacks conducted by the APT group known as TA505, which are spreding FlawedAmmyyRAT, AmadeyBot and a EmailStealer, (ii) ransomware campaigns such as GandCrab and Sodinokibi, (iii) the campaigns of malware known as Phorphiex Worm/Trik and Ursnif, and (iv) other kind of cybercrime activities such as the hosting of phishingcampaigns and cadingsites domains.
3. aizoOn Group - aramis 2 SandiFlux Botnet Report
1. Introduction
In this document, we report the latest updates regarding a Fast Flux botnet – or Fast Flux
Service Network – called SandiFlux, described for the first time in 2018 in “Sandiflux: Another
Fast Flux infrastructure used in malware distribution emerges” [1], published on the
Proofpoint website. Subsequently, the same phenomenon had been observed in our study
of fast flux botnets [2], when we obtained the evidence of an IP migration from the well-
known DarkCloud to the newborn SandiFlux.
The main contribution of this document is the analysis of the malicious activities that we
have observed, complementary to other analyses already published (see the references at
the end of the document), with a focus on the use of fast-flux botnets by cybercriminals.
Furthermore, in order to give some evidences to drive the security analysts, for each
malware campaigns that we describe, we provide one or more references to samples
analyzed in public sandboxes.
In the following section, we give an overview of SandiFlux, describing its main features. The
subsequent sections are devoted to the description of all the activities that leverage this
botnet, with a focus on the dynamic behavior observed within the chain of infection. Finally,
we give a list of IoCs, namely the complete list of domains tracked and a sample of the IPs
that we have retrieved.
4. aizoOn Group - aramis 3 SandiFlux Botnet Report
2. SandiFlux 2019
We examined the IPs associated with a list of fast flux domains, gathered via a scouting
activity from public repositories such as VirusTotal, Any.Run and HybridAnalysis . The IPs were
collected via active DNS analysis in the period from the 18th May 2019 to the 18th June 2019.
The main reference for the present report is the article [2].
The collected IPs show a behavior similar to the one associated with the SandiFlux botnet in
2018, both in terms of geolocation and in terms of shared IPs.
2.1 Shared IPs
In the following image, we represent the overlap 𝑂"# among all the pairs (𝑖, 𝑗) of the domains
in which we retrieved more than 150 IPs, defined as
𝑂"# =
*𝑋"⋂𝑋#*
*𝑋"⋃𝑋#*
where 𝑋" represents the pool of IPs associated with the 𝑖-th domain and |𝑋| is the cardinality
of 𝑋 (i.e., the number of IPs in 𝑋).
The overlap is represented in the image below in gray-scale, where white corresponds to
the absence of overlap (0% of shared IPs) black corresponds to a perfect overlap (100% of
shared IPs) and in general the darker the tone, the larger the overlap.
Overlap representation 𝑶𝒊𝒋 (see text above). Darker tones represent larger overlaps
The presence of two clusters is noticeable and correspond to the domains collected in 2018
(on the lower left) and the ones collected in 2019 (on the upper right). As can be expected,
the overlap within the clusters is larger than the overlap inter-cluster, but the latter is still
greater than zero, showing the presence of a certain amount of shared IPs. This means that
the domains belonging to the “2018 snapshot” of SandiFlux are quite similar among
themselves in terms of associated IPs, and the same is true for the “2019 snapshot” of
SandiFlux; if we compare the two snapshots, the similarity decreases but they still share a
5. aizoOn Group - aramis 4 SandiFlux Botnet Report
certain number of IPs. This suggests that the botnet is the same, and there has been a mild
turnover in the IPs, probably related with the limited lifetime of bots.
2.2 Geolocation
The image below represents the geographic location of the retrieved IPs.
Geographic location of the retrieved IPs, with a detail on East Europe
It is notable that the IPs are spread worldwide, but the highest density is found in Eastern
Europe, in particular in Romania and Bulgaria. This is confirmed by the image below and
does not come as a surprise since a similar situation was observed for SandiFlux in 2018
(see [2]).
In the following image, we represent the histogram of the number of IPs localized in the
top 7 countries (in terms of retrieved IPs).
Number of retreved IPs for the top 7 domains
6. aizoOn Group - aramis 5 SandiFlux Botnet Report
3. Phishing Campaigns
Historically, one of the main purposes of using fast flux botnets is to host phishing domains
[3]. The most famous fast flux botnet used for phishing attacks was Avalanche, which taken
down by the authorities in 2016 [4].
We have tracked several phishing campaigns targeting numerous companies in the United
States such as; United Services Automobile Association (USAA), JP Morgan Chase & Co
(CHASE), AT&T, CitiBank and Microsoft. Examples of the involved URLs are:
• http://citimembercordservice[.]com/citi/
• http://attonlinerestore[.]com/attt/
• http://usaadebicardonline[.]com/usaa/
• http://chasedebitcardurgent[.]com/chase/
• http://microsoft-offices[.]com/microsoft/
We observed that a common tactic used by phishers consists in the deployment of the
same phishing kit, which uses one domain as prefix, followed by a sequential number (e.g.,
chaseonlinedebit.com, chaseonlinedebit1.com, chaseonlinedebit2.com).
Furthermore, most of the tracked domains were hosted by WebNic.cc and the remaining
part was hosted by PakNIC (Private) Limited, two internet service providers based in
Singapore and Pakistan respectively.
Sample of phishing attacks against USAA, CHASE, AT&T and CitiBank
7. aizoOn Group - aramis 6 SandiFlux Botnet Report
4. Dumps Stores
Another historically relevant cybercrime activity that leverages fast flux botnets is the hosting
of Dumps Stores/Carding Sites, i.e. the black markets where cyber criminals sell stolen credit
cards. In 2016, several well-documented Dumps Stores that leveraged DarkCloud botnet
appeared [5].
Last year, during our analysis of DarkCloud and, afterwards, of SandiFlux, we witnessed a
change: some historical dumps stores, still present online such as; try2swipe[.]ws,
verified[.]vc, unclesam[.]ws, royaldumps[.]top and mcduck[.]org - left fast flux botnets and
only a small part of them - such as validcc[.]ws, paysell[.]ws, csh0p[.]ru – moved from
DarkCloud to SandiFlux.
We have recently observed that almost all the online Dumps Stores publicized by Carding
Forums do not leverage SandiFlux, and those that we tracked last year have disappeared.
The only Dumps Store that we have tracked, which was hosted in SandiFlux, is “The Fresh
Stuffs”. The tracked domains with their respective registrar are shown below:
Domain Registrar
thefreshstuff.at Key-Systems GmbH
thefreshstuffs.org WebNic.cc
thefreshstuffs.to Tonic.to
While monitoring the change rate of IPs resulting from our FFSN-tracker, we observed that
the number of unique IPs tracked at present is much lower than the number of unique IPs
registered last year for each dumps store domain; from over 1000 unique IPs of the last year
to around 300 unique IPs currently identified.
Home page and bulletin board of “The Fresh Stuffs” dump store
bestdump.org bestdumps.biz briansclub.at briansclub.cm brocard1.net
buybestbiz.net c2bit.pw carderbay.com cardhouse.cc ddumps24.com
deluxedumps.com diamondumps.biz ebin.cc entershop.st fe-shop.link
flyded.gs freshstuff24.net fullzshop.su fullzstore.su goldenshop.cc
goodshopbiz.net greendumps24.biz kingven.cc luckytrack.cc mrwhite.biz
pabloescobar.biz russianmarket.gs russianmarket.zone shadowcarders.com smd1.la
stardumps24.com tiesto.ec topcc.store vendta.cc worldcvv.me
wt1.la wt1shop.org www.fe-acc18.ru yohohobay.cc swipe.bz
List of some Dumps Stores gathered from several Carding Forums
8. aizoOn Group - aramis 7 SandiFlux Botnet Report
5. Hacking Group TA505
Over the last months, several security researchers have been reporting a consistent increase
of malicious activities related to the known TA505 hacking group [6] [7] [8] [9] [10]. The group
has been active since 2014, mostly targeting banks and retail companies. The attack vector
has always been a malicious email attachment, typically an Excel document, which
spreads FlawedAmmyy RAT using various AV evasion techniques. After the installation, this
RAT downloads two additional components: a custom Email Stealer and Amadey bot.
Infection chain of TA505 group attacks
5.1FlawedAmmyy RAT
The RAT is built on legitimate software from the Ammyy Company, which has been subject
to many abuses after the leak of its source code. Its features include remote desktop
control, file system management, proxy support and audio chat. Once installed, the
attackers obtain full access to the victim’s device, thus being able to steal files, credentials,
and to collect screenshots and access the camera and microphone.
After the office document has been opened, its content displays an image of a decoy to
lure the victim into executing a malicious macro. The malicious macro uses a multi-stage
delivery system: the first stage drops a binary file (e.g. an MSI installer or an Exe File) and
execute it, while the second stage downloads the malware itself.
We have observed two possible scenarios in which the attacker leverages the SandiFlux
botnet:
1. The malicious macro drops the downloader of the malware using a fast-flux domain (in
the following example velquene[.]net)1:
2. The attacker uses a fast-flux domain to deliver the malicious document and
consequently to drop the downloader of the malware (in the following example
waiireme[.]com)2:
1
https://app.any.run/tasks/e4cc943e-b11c-4b95-ac40-f9e342ebeec9/
2
https://app.any.run/tasks/bd545b8e-e293-446b-bcf9-94a17e7564df/
9. aizoOn Group - aramis 8 SandiFlux Botnet Report
The registrar of all the domains that we have tracked is Eranet International Limited.
datdepot.net engast.top furhatsth.net jbswin.net kupitorta.net lecmess.top
solsin.top statesdr.top traveser.net vairina.top velquene.net waiireme.com
zonaykan.com
List of all FlawedAmmyy RAT domains tracked
5.2Email Stealer
It is responsible for collecting all the emails stored on the computer, either on the disk or in
any email client installed by the user, mainly Microsoft Outlook. The purpose of the malware
is to build databases with "fresh" emails to continue spreading the threat.
We have observed that the Email Stealer leverages the SandiFlux botnet to host the C2,
where it sends all the stolen data by always employing the following path:
http[:]//fastfluxdomain[.]tld/es/es.php, as shown in the following example3.
In all the cases that we have analyzed, the attacker has left the directory-listing active on
the folder “es” where all the stolen data are stored. In each of the analyzed cases, the
“es.php” file and the folders “old”,”old2”,”old3”,”old4” were created on the same date and
at the same time, except for the files showing the domain nettubex[.]top. Therefore, we can
suppose that the observed files lead to two different motherships.
Examples of directory listing of some C2 of the Email Stealer
3
https://app.any.run/tasks/6e13978a-4643-4aa8-bfc9-1fa186b230e2/
10. aizoOn Group - aramis 9 SandiFlux Botnet Report
The registrar of all the domains that we have tracked is Eranet International Limited.
bascif.com cathits.net cmarcite.net nettubex.top
handous.net ldtfair.top safegross.com
List of all Email Stealer domains tracked
5.3Amadey
It allows authors to perform multiple malicious tasks, such as downloading and running
additional malware, receiving commands from a control server, exfiltration of sensitive
information, updating or deleting itself, stealing logins, registering keystrokes (Keylogger),
participating in Distributed Denial of Service (DDoS) attacks, accessing bank transfer keys
and even performing installations of Ransomware. Last year, the botnet was cracked and
the source code of the web control panel was loaded on GitHub.4
We observed that Amadey leverages the SandiFlux botnet to host the C2, where it sends all
the data regarding the infected host by always employing the following path:
http[:]//domain[.]tld/ppk/index.php, as shown in the following example5.
During the analysis of this campaign, we observed that there is a connection between the
domains employed by the Email Stealer and Amadey. In fact, by adding the path
“/ppk/index.php” to one domain among the first ones, we obtain a redirect to the control
panel of Amadey botnet at the “/ppk/login.php” path, as shown in the following example.
The domains that we checked are highlighted in yellow in the following table.
The control panel of Amadey Botnet
4
https://github.com/CyberMonitor/amadey
5
https://app.any.run/tasks/55c5ae41-dcd4-45d6-ad11-81b0e9757bc2/
11. aizoOn Group - aramis 10 SandiFlux Botnet Report
The registrar of all the domains that we have tracked is Eranet International Limited.
gohaiendo.com rayshash.com ldtfair.top handous.net
bascif.com safegross.com
List of all Email Stealer domains tracked
6. Phorphiex/Trik botnet
The Phorphiex worm, also known as Trik Botnet, is a decade-old worm historically spread via
live chat (e.g. Windows Messenger, Skype) and USB storage drivers. In 2019, it is becoming
a very tedious threat due to its infection capabilities, which involve a huge set of malware
families [11].
The infection chain begins with a phishing email containing a zip file. Once the javascript
file inside the zip has been launched, it loads by employing a Powershell statement, the
Phorphiex Worm/Trojan loader and then the GandCrab ransomware, Ursnif ISFB banking
Trojan, and the CryptoNight XMRig cryptocurrency miner.
We observed that in the infection chain, fast-flux domains were employed to download the
Phorphiex worm/Trojan loader. The following example shows the HTTP requests for a sample
where the malicious javascript file drops the Phorphiex Worm/Trojan loader and Ursnif
performs C2 call-back, both using a fast-flux domain. Respectively, these domains are news-
medias[.]ru and adonis-medicine[.]at6.
The registrar of all the domains that we have tracked is ARDIS-RU.
guebipk-mvd.ru news-medias.ru
List of all Phorphiex/Trik domains tracked
7. Ursnif
Ursnif, also known as Gozi ISFB or Dreambot, is a well-known and widely distributed banking
Trojan involved in several malware campaigns. Banking Trojans are a particular type of
malware that attackers leverage in an attempt to obtain banking credentials from
customers of various financial institutions. It is often spread by an exploit kit, email
attachments and malicious links and has continued to evolve over time; in particular, since
its source code has been leaked, the attackers improved and added new features to it.
Last year, Talos [12] reported that the domains and associated infrastructure used to
distribute this malware, as well as the associated C2 domains, have been leveraging the
6
https://app.any.run/tasks/8fa71135-ecc2-437a-b172-764df12a8145/
12. aizoOn Group - aramis 11 SandiFlux Botnet Report
DarkCloud botnet. In fact, during our analysis on IP migration from DarkCloud to SandiFlux,
we observed that the Ursnif campaigns had also been moved.
While tracking some of the Ursnif campaigns, we witnessed that part of these were being
spread by employing an obfuscated javascript file, and others were part of different
malware campaigns, as discussed in the previous paragraph. In the first case, once the
javascript file is launched, it drops and executes the malware itself.
As Talos reports, we have witnessed several cases in which the domains used to distribute
and the domains associated to the C2 both leverage Sandiflux, as shown in the following
example by the domains trading-secrets[.]ru and adonis-medicine[.]at respectively7.
Furthermore, over the observation period, a small group of domains had a sudden change
of behavior: the number of IPs that returned to each domain lookup switched from 10 with
a TTL of 150 seconds, to 4 with a TTL of 600 seconds. In the following table, these domains
are highlighted in yellow.
Key-Systems GmbH was the host of most of the tracked domains, while the remaining
domains were hosted by ARDIS-RU.
adonis-medicine.at alfa-sentavra.at fitalyaka-service.at intrade-support.ru cloud-start.at
regeneration-data.at marcoplfind.at miska-server.at
List of all Ursnif domains tracked
8. Ransomware Campaigns
Historically, ransomware campaigns have also been using fast-flux botnets for malware
distribution, C2 communications or payment pages [1] [2] [3]. One of the most famous cases
was Locky, which leveraged DarkCloud over a long period of time. Recently, we have
observed that GandCrab, which we tracked last year, and Sodinokibi have been
leveraging SandiFlux as distribution infrastructure.
8.1GandCrab
GandCrab is the most widespread malware over the last two years, sold as a ransomware-
as-a-service (RaaS) solution and has been advertised on a well-known hacking forum since
2018 [13]. In addition, for the first time, this malware introduced other features, such as the
payment in DASH cryptocurrency and the use of “.bit” top level domain (TLD). The hacking
7
https://app.any.run/tasks/bb60012c-9ff5-4c6e-8b0b-5f28bc6deba5/
13. aizoOn Group - aramis 12 SandiFlux Botnet Report
group developed at least five versions, while they have recently announced plans to shut
down their service, as reported by several security blogs [14].
Last year we tracked GandCrab 2.1 campaign [15], that leveraged SandiFlux to hosting C2
domains, ransomware[.]bit and zonealarm[.]bit. A common characteristic of this attack was
that these domains were resolved using only specific DNS servers hardcoded in the
executable (e.g. ns1.cloud-name[.]ru, ns1.corp-servers[.]ru).
Recently, we have tracked a campaign that employed a malicious Word document to
spread GandCrab. When the document is opened, its content displays a decoy image to
lure the victim into executing a malicious macro that uses PowerShell to drop and execute
the ransomware. This campaign particularly targeted Germany [16], and it was also
reported by CERT-Bund8.
In contrast to the previous year, the attacker leveraged SandiFlux to distribute GandCrab
and not to host the C2 domains, as shown in the following example9:
The registrar of all the domains that we have tracked is Eranet International Limited.
garizzlas.top flowjob.top
List of all GandCrab domains tracked
8.2 Sodinokibi
Sodinokibi is a new, emerging ransomware family reported for the first time by Cisco Talos
[17]. This ransomware is known to be installed via an Oracle Web Logic exploit, which allows
the attackers to infect a host without any form of user interaction, such as opening an email
attachment or clicking on a malicious link. However, another recent campaign uses spam
email with a malicious Word document as an attachment to download the ransomware
onto the target system. In particular, this campaign targets Germany [18], using a
document that displays a decoy image to lure the victim into executing a malicious macro
to download and install Sodinokibi.
We have observed that the attackers leveraged SandiFlux to distribute the ransomware,
which was dropped through the malicious Word document, as shown in the following
example10:
The registrar of all the domains that we have tracked is Eranet International Limited.
anmcousa.xyz blaerck.xyz btta.xyz
List of all Sodinokibi domains tracked
8
https://twitter.com/certbund/status/1084817259204362240
9
https://app.any.run/tasks/985e56fb-d130-482f-b38e-b87c558d93e1/
10
https://app.any.run/tasks/961cfd75-3b54-42f6-84d0-9b34055df7bd/
15. aizoOn Group - aramis 14 SandiFlux Botnet Report
usaamembersupports.com WebNic.cc Phishing USAA
usaaresoluton.com WebNic.cc Phishing USAA
wellsfargodebtcard.com WebNic.cc Phishing WELLS FARGO
9.3 Malware
Domain Registrar Malware Campaign
bascif.com Eranet International Limited Amadey
gohaiendo.com Eranet International Limited Amadey
handous.net Eranet International Limited Amadey
ldtfair.top Eranet International Limited Amadey
safegross.com Eranet International Limited Amadey
rayshash.com Eranet International Limited Amadey
blueoyster.top Eranet International Limited Android Bank Bot
safegross.com Eranet International Limited Email Stealer
bascif.com Eranet International Limited Email Stealer
cathits.net Eranet International Limited Email Stealer
cmarcite.net Eranet International Limited Email Stealer
handous.net Eranet International Limited Email Stealer
ldtfair.top Eranet International Limited Email Stealer
nettubex.top Eranet International Limited Email Stealer
datdepot.net Eranet International Limited FlawedAmmyy RAT
engast.top Eranet International Limited FlawedAmmyy RAT
furhatsth.net Eranet International Limited FlawedAmmyy RAT
jbswin.net Eranet International Limited FlawedAmmyy RAT
kupitorta.net Eranet International Limited FlawedAmmyy RAT
lecmess.top Eranet International Limited FlawedAmmyy RAT
solsin.top Eranet International Limited FlawedAmmyy RAT
statesdr.top Eranet International Limited FlawedAmmyy RAT
traveser.net Eranet International Limited FlawedAmmyy RAT
vairina.top Eranet International Limited FlawedAmmyy RAT
velquene.net Eranet International Limited FlawedAmmyy RAT
waiireme.com Eranet International Limited FlawedAmmyy RAT
zonaykan.com Eranet International Limited FlawedAmmyy RAT
garizzlas.top Eranet International Limited GandCrab
flowjob.top Eranet International Limited GandCrab
guebipk-mvd.ru ARDIS-RU Phorphiex/Tik
news-medias.ru ARDIS-RU Phorphiex/Tik
anmcousa.xyz Eranet International Limited Sodinokibi
blaerck.xyz Eranet International Limited Sodinokibi
btta.xyz Eranet International Limited Sodinokibi
adonis-medicine.at Key-Systems GmbH Ursnif
alfa-sentavra.at Key-Systems GmbH Ursnif
fitalyaka-service.at Key-Systems GmbH Ursnif
intrade-support.ru ARDIS-RU Ursnif
marcoplfind.at Key-Systems GmbH Ursnif
16. aizoOn Group - aramis 15 SandiFlux Botnet Report
miska-server.at Key-Systems GmbH Ursnif
regeneration-data.at Key-Systems GmbH Ursnif
cloud-start.at Key-Systems GmbH Ursnif
9.4Unclassified
Domain Registrar
cloudservyuuer.com Eranet International Limited
co-operative-bank.com Eranet International Limited
donaflopper.xyz Eranet International Limited
ffpanelday.net Eranet International Limited
ffpdm.net Eranet International Limited
gulftra.com Eranet International Limited
hubogolas.top Eranet International Limited
kasuamuia.top Eranet International Limited
kreewalk.com Eranet International Limited
neurona.top Eranet International Limited
riaalkot.com Eranet International Limited
verify-konto-35235123.xyz Eranet International Limited
americanexpressproceess.at Key-Systems GmbH
hacnostri.at Key-Systems GmbH
klll.at Key-Systems GmbH
aktualisierung-daten-346132461.top Openprovider
aktualisierung-daten-363435.top Openprovider
aktualisierung-daten-65757544.icu Openprovider
automatischer-524532.top Openprovider
kunden-contact-251363251.work Openprovider
mitteilung-referenzcode-624563123.top Openprovider
wichtige-kundeninformation-7462343636.top Openprovider
ameixpress.com WebNic.cc
americanexpressnerosult.com WebNic.cc
americanexpressrespond.com WebNic.cc
berkshirehattway.com WebNic.cc
chase121onineline.com WebNic.cc
chase453validate.com WebNic.cc
chase4thonline.com WebNic.cc
secureilonline.com WebNic.cc
turbotaxing.com WebNic.cc
wells4forgo.com WebNic.cc
wellsfargocardservicess.com WebNic.cc
wellsi4fargo.com WebNic.cc
17. aizoOn Group - aramis 16 SandiFlux Botnet Report
Appendix A
Due the nature of fast-flux botnets, obtaining a relevant sample of IPs useful as an IoC is not
an easy task. During the period from the 18th of May 2019 to the 18th of June 2019, we
collected hundreds of IPs involved in SandiFlux, and in this context the life cycle of each IP
depended on several factors. Below, we provide a list of the top 75 most used IPs (in terms
of the number of tracked domains which share them); the fact that many active fast flux
domains are associated with these IPs seems to be an indicator of their resilience. In the
table below, for each IP, 𝑛3456"78 represents the number of tracked domains that share such
an IP.
IP 𝒏 𝒅𝒐𝒎𝒂𝒊𝒏𝒔 IP 𝒏 𝒅𝒐𝒎𝒂𝒊𝒏𝒔 IP 𝒏 𝒅𝒐𝒎𝒂𝒊𝒏𝒔
81.12.175.59 65 62.141.241.11 63 5.204.10.100 61
89.238.207.5 65 66.181.168.248 63 87.119.100.220 61
91.201.175.46 65 78.40.46.135 63 37.247.216.118 60
155.133.93.30 65 85.206.221.28 63 89.17.225.163 60
193.33.1.18 65 87.241.136.1 63 89.45.19.24 60
213.164.242.16 65 89.47.94.113 63 188.254.142.85 60
37.34.176.37 64 89.190.74.198 63 5.253.53.236 59
37.75.33.242 64 151.237.80.80 63 151.251.23.210 59
46.47.98.128 64 178.48.154.38 63 190.213.108.96 59
78.90.243.124 64 181.59.254.21 63 46.214.214.39 58
84.54.187.24 64 186.87.135.97 63 89.215.156.222 58
86.61.75.99 64 190.158.226.15 63 2.185.239.164 57
86.101.230.109 64 195.222.40.54 63 78.31.63.30 57
86.106.200.105 64 195.228.41.2 63 91.139.196.113 57
89.45.19.18 64 203.91.116.53 63 188.112.188.207 57
93.103.166.70 64 212.98.131.181 63 213.222.130.75 57
93.152.165.187 64 31.5.167.149 62 77.70.100.139 56
95.158.162.200 64 46.237.80.152 62 188.208.134.201 56
143.208.165.41 64 79.100.208.102 62 41.110.200.194 54
186.74.208.84 64 89.45.19.26 62 95.111.66.122 53
193.107.99.167 64 95.43.57.155 62 151.237.138.38 53
197.255.225.249 64 181.39.233.180 62 86.104.75.4 52
2.185.146.116 63 190.140.73.248 62 109.166.208.203 52
37.152.176.90 63 196.20.111.10 62 77.81.55.140 51
62.73.70.146 63 5.56.73.146 61 200.91.115.40 51
In the image below, we represent the number 𝑛3456"78 of shared tracked domains as a
function of the rank of the IP (after the IPs are sorted in terms of shared domains),
represented in a log-log scale. It can be noticed that the behavior is very far from the Zipfian
distribution (which should be linear in the log-log scale), and this is only partially explained
by the finite-size effect (we didn’t observe an infinite number of domains). The long plateau
around the value 60 may indicate that these IPs are considered quite reliable by the bot
herder and they are used to host most of the fast flux domains.
18. aizoOn Group - aramis 17 SandiFlux Botnet Report
Number 𝒏 𝒅𝒐𝒎𝒂𝒊𝒏𝒔 of shared tracked domains as a function of the rank of the IP, represented in a
log-log scale
19. aizoOn Group - aramis 18 SandiFlux Botnet Report
References
[1] [Online]. Available: https://www.proofpoint.com/us/threat-insight/post/sandiflux-another-fast-flux-
infrastructure-used-malware-distribution-emerges.
[2] P. Lombardo, S. Saeli, F. Bisio, B. Davide e D. Massa, «Fast Flux Service Network Detection via Data
Mining on Passive DNS Traffic,» in Information Security, Springer International Publishing, 2018, pp.
463--480.
[3] [Online]. Available: https://www.riskanalytics.com/wp-
content/uploads/2017/10/Dark_Cloud_Network_Facilitates_Crimeware.pdf.
[4] [Online]. Available:
https://www.europol.europa.eu/newsroom/news/%E2%80%98avalanche%E2%80%99-network-
dismantled-in-international-cyber-operation.
[5] [Online]. Available: https://krebsonsecurity.com/2016/05/carding-sites-turn-to-the-dark-cloud/.
[6] [Online]. Available: https://nao-sec.org/2019/04/Analyzing-amadey.html.
[7] [Online]. Available: https://ti.360.net/blog/articles/excel-4.0-macro-utilized-by-ta505-to-target-
financial-institutions-recently-en/.
[8] [Online]. Available: https://securityaffairs.co/wordpress/81857/malware/flawedammyy-undetected-
xlm-macros.html.
[9] [Online]. Available: https://medium.com/@1ZRR4H/ta505-intensifica-ciberataques-a-chile-y-
latinoam%C3%A9rica-con-flawedammy-9fb92c2f0552.
[10] [Online]. Available: https://blog.yoroi.company/research/the-stealthy-email-stealer-in-the-ta505-
arsenal/.
[11] [Online]. Available: https://blog.appriver.com/phorphiex/trik-botnet-campaign-leads-to-multiple-
infections-ransomware-banking-trojan-cryptojacking.
[12] [Online]. Available: https://blog.talosintelligence.com/2018/03/gozi-isfb-remains-active-in-2018.html.
[13] [Online]. Available: https://id-ransomware.blogspot.com/2018/01/gandcrab-ransomware.html.
[14] [Online]. Available: https://www.zdnet.com/article/gandcrab-ransomware-operation-says-its-
shutting-down/.
[15] [Online]. Available: https://fortinetweb.s3.amazonaws.com/fortiguard/research/AVAR%20-
%20The%20GandCrab%20Mentality.pdf.
[16] [Online]. Available: https://www.gdata.de/blog/2019/01/31427-verschlusselungstrojaner-die-erste-
gandcrab-welle-im-jahr-2019.
[17] [Online]. Available: https://blog.talosintelligence.com/2019/04/sodinokibi-ransomware-exploits-
weblogic.html.