本文接 上文 ,该团伙注册了大量的符合 [A-Z]{2}\d{2}.cc 规则的域名。
DNS解析
上述域名的cname记录解析均为:
; <<>> DiG 9.11.4-P2-RedHat-9.11.4-26.P2.el7_9.9 <<>> xxxx.cc
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 65332
;; flags: qr rd ra; QUERY: 1, ANSWER: 10, AUTHORITY: 0, ADDITIONAL: 0
;; QUESTION SECTION:
;xxxx.cc. IN A
;; ANSWER SECTION:
xxxx.cc. 60 IN CNAME v8c2qwks-u.funnullv26.com.
v8c2qwks-u.funnullv26.com. 1 IN CNAME va4bd9ms.n.funnullv27.com.
va4bd9ms.n.funnullv27.com. 600 IN A 20.205.12.191
va4bd9ms.n.funnullv27.com. 600 IN A 20.239.91.10
va4bd9ms.n.funnullv27.com. 600 IN A 20.239.164.75
va4bd9ms.n.funnullv27.com. 600 IN A 104.208.78.201
va4bd9ms.n.funnullv27.com. 600 IN A 104.208.87.223
va4bd9ms.n.funnullv27.com. 600 IN A 207.46.132.60
va4bd9ms.n.funnullv27.com. 600 IN A 20.187.89.37
va4bd9ms.n.funnullv27.com. 600 IN A 20.187.96.180
通过对这些IP进行域名指向反查可以得到一些符合规则的域名列表。
也许是为了批量管理,所有域名的NS地址均使用 ns1.funnulldns.com 又可以反查出一批域名 https://securitytrails.com/list/ns/ns1.funnulldns.com
funnulldns.com的主人疑似为 funnull.com,为一家CDN提供商。
网站内容
在25日晚上,这些域名开始跳转到腾讯云OSS
> GET / HTTP/1.1
> Host: wk01.cc
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Content-Type: text/html; charset=UTF-8
< Transfer-Encoding: chunked
< Connection: keep-alive
< Location: https://aq545615-1-1310820385.cos.ap-nanjing.myqcloud.com/sda545adagf/index.html?channelCode=aq033
1310820385 是腾讯云COS用户的唯一id。此外在网页内容 历史存档 历史存档 中还包含:
<script type="text/javascript" src="//source-1310860841.cos.ap-guangzhou.myqcloud.com/download.js"></script>
<script>
var _hmt = _hmt || [];
(function() {
var hm = document.createElement("script");
hm.src = "https://hm.baidu.com/hm.js?4bfce7e2138b313a6cc13e4c3a7fc2ce";
var s = document.getElementsByTagName("script")[0];
s.parentNode.insertBefore(hm, s);
})();
</script>
腾讯云COS id 1310860841 和 百度统计id 4bfce7e2138b313a6cc13e4c3a7fc2ce
当网页打开 会从 https://sdk.szdaqi88.com/web/arnwyp/aq033/init?channelCode=aq033&av=1&cv=1&hash=&xxxxxx 进行加载软件的下载地址。
$ dig sdk.szdaqi88.com
;; QUESTION SECTION:
;sdk.szdaqi88.com. IN A
;; ANSWER SECTION:
sdk.szdaqi88.com. 600 IN CNAME gtm-cn-7pp2mt5ut06.gtm-a1b9.com.
gtm-cn-7pp2mt5ut06.gtm-a1b9.com. 60 IN CNAME dfjo3f.g.ngxfence.org.
dfjo3f.g.ngxfence.org. 60 IN A 180.76.199.174
;; AUTHORITY SECTION:
ngxfence.org. 29570 IN NS ns2.wawadns.com.
ngxfence.org. 29570 IN NS ns1.wawadns.com.
sdk.szdaqi88.com cname 到 gtm-cn-7pp2mt5ut06.gtm-a1b9.com. gtm-a1b9.com 是阿里云的CDN域名。
未完待续。。。