fbpx

OmniNet Threat Update 8-4-2020

What threats are bubbling up this week? Quite a few as more people work from home and return to the offices. Ensure your customer’s increased protection by getting them a Home Office eXtension.

But here’s a brief investigation into one of the things that caught our eyes.

What do we have here?

At the end of July we saw a few blocked malicious websites, linked to the same IP address: 34.98.99.30.

Now, websites being blocked happens every day. Links from phishing emails or hacked social media accounts abound with them.

But multiple malicious host names attached to the same IP address is interesting. 

Over the weekend a couple of alerts came in.

Related to the same IP, with a signature of the botnet/virus, Spyeye.

We blocked the traffic, protected the Partner’s customer, and alerted the Partner.  However, any alert like this deserves more human attention. 

So, first, who owns it?  

Checking ARIN and OTX revealed…. Google.  

https://whois.arin.net/rest/net/NET-34-64-0-0-1/pft?s=34.98.99.30

https://otx.alienvault.com/indicator/ip/34.98.99.30

What else did OTX show?  1,000 plus URLs, all registered over the weekend.  

Suspicious and interesting, who buys that many domain names, and phishy looking ones at that.

Is anything else going on there? Scanning with an open port tool, more than just HTTP/S ports are open. These are just the ‘common’ ports.

The sources say…

Next, time to use more tools. The ones listed are free (to a point) so feel free to follow along.

https://www.virustotal.com/gui/ip-address/34.98.99.30/detection

OmniNet Threat Update - Virustotal.com scan of 34.98.99.30

So far only 1 of the tools used was catching and blocking it, protecting our customers. 

Moving on to another, RiskIQ. 

https://community.riskiq.com/search/34.98.99.30/hashes

RiskIQ evaluation of the threat.

They show lots of .ca and .au URLs being generated and producing threats as early as the 21st of July 2020. 

Running through the list of URL’s randomly, the first one tested, vman22 [dotx] com, was moved to the IP on the 31st.  

Oh the fun of free tools. Something’s being built, with likely not the best of intentions.

What’s next?

Now, most of the calls are straight to the IP, not using a host name, which is odd, but that’s only on the handful of computers that reported this IP to begin with.

We also observed blocked SMTP calls back to the IP address. Note Port 25 being open above.

We will keep checking on the IP address and domains to see what transpires.

 

Stay safe out there, and get OmniNet to provide your customers with ‘optimized clean internet’.