Developing these signatures can be difficult, and there is little public documentation on how they can be performed. Today, we will look into a single domain indicator shared on X/Twitter and show you how to analyse it for patterns that lead to 36 additional domains.
Our final analysis will review these domains and link them with high confidence to public reports on APT SideWinder.
Our initial investigation begins with a single domain indicator shared by DocGuard in a recent post on X.
Note the domain's name of docs.mofa-services-server[.]top
and consider that MOFA is an acronym for “Ministry of Foreign Affairs”. This will become important later.
Our initial indicator is a domain, so we can begin with domain-based analysis, such as a passive DNS lookup.
The aim here is to obtain historical records of IP addresses to which the domain has resolved. We want to use the IP addresses to find other domains associated with the same IP infrastructure.
The aim here is to obtain historical records of IP addresses to which the domain has resolved. We want to use the IP addresses to find other domains associated with the same IP infrastructure.
Running a passive DNS lookup in, reveals that the domain currently resolves to an IP address of 188.114.97[.]3
.This IP is hosted by CloudFlare on `13335`.
We can try to find related domains by performing a passive DNS lookup for 188.114.97[.]3
, this will reveal any domains that have resolved to the same address.
Below is the passive DNS lookup for 188.114.97[.]3
, showing a large number of unrelated domains.
Our screenshot above reveals that 801666666
domains have resolved to the same address.
As mentioned prior, this huge number of related domains is due to the usage of CloudFlare. We can narrow down the results by applying additional filters, but the number of results may still be in the 10’s of thousands. Hence, we attempted a similar pivot on the parent domain to establish any easier patterns.
Since the parent domain is likely to be owned and controlled by the same actor, it can occasionally serve as a more accessible and more helpful pivot point.
Since pivoting on the initial docs
subdomain had way too many results, we performed a similar lookup on the parent domain of mofa-services-server[.]top
.
Parent domains aren’t always given the same protection as subdomains, and since they are typically controlled by the same actor, they serve as a far more helpful pivot point.
The parent domain of mofa-services-server[.]top
has only one known IP of 91.195.240[.]123
, which is hosted on SEDO with ASN 47846
, and was first seen on 2024-03-20
.
A passive DNS lookup on this new IP 91.195.240[.]123
will allow us to determine any domains that have shared the same address.
Performing this lookup identifies 770427
related domains. This is a huge number but significantly less than that of the original CloudFlare IP.
Since this is still a vast number, we can leverage regular expressions to apply additional filtering to narrow down our results. Performed correctly, this can significantly reduce the number of related domains to a manageable number.
An advanced query allows us to apply specific filters that will significantly reduce the number of results. Before we can do this, we need to establish what exactly we will filter on.
Consider that we know the following information about mofa-services-server[.]top
91.195.240[.]123
.top
Top Level Domain2024-03-20
An advanced query allows us to provide this information through date filters, network filters, and regular expressions. The below parameters are how they can be applied in SilentPush.
91.195.240[.]123
can be applied as a qanswer
filter. .top
) can be applied as \.top$
to the end of a domain_regex
^[a-z]{1,}\-[a-z]{1,}\-[a-z]{1,}
at the beginning of the domain_regex
first_seen_after=2024-03-18
and first_seen_before=2024-03-22
, this allows for +- 2 days of buffer on either side. The complete regular expression used here is ^[a-z]{1,}\-[a-z]{1,}\-[a-z]{1,}\.top$
and if you are using SilentPush, the advanced query can be found in
Advanced Query Builder -> PADNS Queries -> Live Unsanctioned
Assets Lookup)
Applying these filters cuts the results down to only 7
domains. This is a great number and is significantly lower than the 770427
initially associated with the same IP 91.195.240[.]123
. This means our filters were able to cut out 770420
results.
The 7 resulting domains contain recurring “PK” (Pakistan) themes and common acronyms for Government agencies.
The results are returned in JSON format and contain a huge amount of information. We only need the resulting domains (for now), so we can use Python or CyberChef to extract the domain field.
For the sake of simplicity, we leveraged CyberChef and a JPath expression to filter the JSON output to return the 7 resulting domains.
We achieved this with a JPath expression of response.records[*].query
The 7 resulting domains can be seen clearly below.
The 7 domains have a recurring theme of Pakistan and Government agencies. We can also observe a recurring theme of IT Support services through mentions of updates, server, download and services.
(Later we'll see how these are TTPs of APT SideWinder)
These similarities indicate that the domains are related and that we’re onto something, especially given they share the same IP address and have close registration dates (as required by our filters)
So far, the domains share the same IP infrastructure, same naming schemes and similar registration dates. We can build on this and establish further commonalities, such as domain registrars, subdomains and associated files.
One method we can use to establish further commonalities is to perform WHOIS lookups on the domains. A WHOIS lookup will provide information about who registered the domains and which domain registrar they were registered with.
If the same domain registrar and registration information can be seen across multiple domains, this can be an indication that the domains are related.
Many services (such as WHOIS) can perform these lookups but are limited to individual searches. We will leverage SilentPush for our lookups, as it supports bulk searches and significantly speeds up our process.
After exporting the resulting JSON and parsing it with CyberChef, we can see that 6/7 of the domains were registered with NameSilo
on 2024-03-19
with exact registration times within minutes of each other.
One of the resulting domains luxury-get-away[.]top
features a different naming theme and registration time. For the purposes of this blog, we will ignore this domain for the remainder of
this analysis.
We now had 6 related domains, 5 of which were new and discovered through pivoting.
Consider that our analysis established these commonalities between the 6 domains.
.top
NameSilo
91.195.240[.]123
(and hence, the same ASN 47846
)2024-03-19
and registration times between 04:09
and 04:11
Recall that the initial domain shared by DocGuard had the primary malicious activity under the docs
subdomain of docs.mofa-services-server[.]top
We wanted to see if our new domains had any such subdomains which could establish a further pattern linking the activity to the initial domain.
Recall the docs.mofa-services-server[.]top
domain shared by DocGuard. The docs
subdomain was first seen on 2024-05-01
, approximately 6 weeks after the parent domain was first registered.
We ran an identical search for our documents-server-pk[.]top
domain, which revealed a similar pattern where a pmo
subdomain was created approximately 6 weeks after the parent domain first appeared.
One theory is that the Threat Actor is “sitting” on parent domains and then performing malicious activity via subdomains at a later date. This may be to avoid domain-based filtering that blocks or alerts on recently registered infrastructure (<30 days old) .
Repeating the subdomain searches returned a total of 15 subdomains featuring Government themes and new government entities of
We can see these themes in the screenshot below.
Of additional interest here is that we see domains targeting Sri Lanka
(lk) and Nepal, and that the majority of subdomains exist under gov-pk[.]com
, which is an impersonation of the legitimate domain gov[.]pk
We can also observe that pubad.gov.lk.govt-pk[.]com
is an impersonation of the legitimate Sri Lankan domain pubad.gov[.]lk
Most of the identified parent domains did not have an associated subdomain. We believe this is likely due to the “waiting” that the actor is using after the parent domain is first created.
At the time of this writing, we could not find any publicly available reports on our 37 newly identified domains.
However, we found two extremely interesting reports by BlackBerry and Group-IB that detail 2023 activity of the Indian Advanced Persistent Threat (APT) known as SideWinder. This Threat Actor is known for targeting Pakistan, Nepal and Sri Lanka. (All in line with the activity we observed so far)
Both reports provide the following details and TTP’s regarding the SideWinder group.
The BlackBerry report contains a list of known SideWinder domains targeting South Asian countries.
The following domains were extracted from the BlackBerry report and show remarkable similarities to those identified during our analysis. Note the heavy usage of...
Although we have grouped this under one heading, this screenshot represents 4 unique commonalities between the domains we identified and known activity from APT SideWinder.
The second report from shows similar domains with remarkable similarities to those identified in our analysis.
Both the Group-IB and BlackBerry reports detail SideWinder activity where initial access is achieved via weaponised documents with Government Entity themes.
Additionally, both reports detail a malicious document titled GUIDELINES FOR BEACON JOURNAL – 2023 PAKISTAN NAVY WAR COLLEGE (PNWC).doc
The reports detail that this document leveraged a remote template injection vulnerability CVE-2017-0199
to download a remote file named file.rtf
that contained obfuscated Javascript code.
A visual overview of the document (Taken from BlackBerry and Group-IB) can be seen below.
The BlackBerry article details another SideWinder document featuring Pakistan Government themes and an overall well-made and professional-looking email.
By taking the hash from VirusTotal and searching it on Hybrid-Analysis, we see a similar theme of Government entity-themed phishing with password-protected .zip files.
The end of the document featured a prompt to download a password-protected file.
The presence of password-protected .zip
files (likely containing malware) instead of CVE-2017-0199
represents both a strong link (via weaponized docs) and a slight change in SideWinder activity and techniques.
The overall tactic of weaponized documents is continued, but the specific tactic of CVE-2017-0199
has changed to a password-protected zip file.
A subset of the older SideWinder domains shared by BlackBerry and Group-IB feature NameSilo as the domain registrar.
Many shared domains did not feature NameSilo, but this shows that SideWinder is familiar with NameSilo and uses it for a subset of their domain infrastructure.
Since all of the domains we featured today utilised NameSilo, this indicates a weaker but still useful connection between the new domains and those already publicly attributed to SideWinder.
We have now analysed a single domain indicator with threat intelligence tooling and identified 37 new domains with strong relations to known SideWinder activity. We analysed historical records around IP addresses, domain registrars, registration dates, associated files, and subdomains.
The tool used in this analysis was SilentPush, If you'd like to follow along, consider signing up for the Community Edition.