Cisco Talos CCleaner Victim Domain List (source)

Recently, the CCleaner tool contained malware likely infecting millions.  Cisco’s Talos threat intelligence group analyzed some of the data around the CCleaner malware command and control (C2) to get deeper into the second stage.   Talos released a list of domains in which victims would receive a second-stage package likely for further operations.

While most names were familiar to myself the subdomains intrigued me.  The adversary was not just interested in sony.com – but particularly the JP and AM sub-domains within Sony.  Not just microsoft.com but ntdev.corp.microsoft.com.  Understanding these sub-domains and their role may offer more insight into the interests of the adversary.

This list likely changed over time – and this list is only a snapshot in time, so it’s difficult to provide a complete profile of adversary interest, but it is interesting for that snapshot.

So, I went digging for about 30 minutes and here’s what I found.

Interesting Findings

  • These are not well-known subdomains.  This means the adversary identified them somehow and then assigned them greater value = to recieve the second stage.  This very strongly indicates a targeted activity rather than commodity threat.
  • This isn’t a clear-cut case of economic espionage because of the tendency towards telecommunications which can serve intelligence value well beyond intellectual property theft.
  • While I didn’t find a correlation among them all, many of these  domains were listed in leaked document/email dumps like WikiLeaks and the Panama Papers
  • Especially strong correlation between all domains being associated with electronics and technology
  • A large number (16 of 24 – 66%) of targets involved telecommunications and telephony  [Samsung (mobile handsets), Singtel (telecommunications), Sony (most don’t know about Sony Mobile), Intel (chips for mobile), Microsoft (maker of Windows Phone), Cisco (lots of telephony), O2, Vodafone, Linksys, Dlink)]
  • The odd domain is gg.gauselmann.com involved in gaming and gambling equipment which doesn’t have a correlation with any other victims.  This adds strength to the hypothesis that the victim list is a changing requirement set and the adversary may be satisfying a large variety of needs.
  • The three prominent geographic elements amongst the domains: Asia, Europe, and North America

Victim Domains

singtel.corp.root – internal domain related to Singapore Telecommunications Limited is a Singaporean telecommunications company.

htcgroup.corp – This domain is actually ambiguous because there are many “HTC Group” organizations and the well-known electronics manufacturer isn’t publicly referenced as “HTC Group”

samsung – Clearly a reference to the well-known electronics manufacture

samsung-breda – Samsung Electronics Europe Logistics located in Breda, The Netherlands (Yelp Entry)

samsung.sepm – Likely Samsung Electronics Poland Manufacturing (SEPM) (Wiki Page)

samsung.sk – Samsung Slovakia (Web Site)

jp.sony.com – Sony Japan

am.sony.com – Sony Americas

gg.gauselmann.com – I didn’t know anything about the Gauselmann Group.  Know I do!  The “gg” sub-domain likely refers to a subsidiary Gebrüder Gauselmann (source) who has their own domain (http://www.gg-oelde.de/).  The subsidiary focuses on the development of gaming/gambling electronics and equipment.

The Gauselmann Group is a family-run, internationally active company for the entertainment and leisure industry. In addition to the development, production and distribution of entertainment gambling and money management systems, the Group operates the well-known casino chain CASINO MERKUR-SPIELOTHEK. In addition, the Gauselmann Group is also active in many other areas, such as sports betting, online gaming and gambling.” (Source)

vmware.com – The well-know virtualization software developer

ger.corp.intel.com – Intel Corporation Germany

amr.corp.intel.com – Intel Corporation US and Canadian Region (source)

ntdev.corp.microsoft.com – The Windows development network; and older domain dating back to NT kernel development.  (source1, source2)

cisco.com – Well known network-centric equipment manufacturer

uk.pri.o2.com – An internal domain for the European telecommunications company O2.  This is likely the subdomain for UK operations (source1, source2)

vf-es.internal.vodafone.com – Vodafone is a global telecommunications company. The VF likely refers to Vodafone and the ES likely refers to Spain – there is some data relating this domain to corp.vodafone.es strengthening that assertion (ref1, ref2).

linksys – well-known network equipment manufacturer

apo.epson.com – Well-known technology company focused on printers, projectors wearables, robots, etc.

msi.com.tw – Electronics manufacturer – Taiwanese organization

infoview2u.dvrdns.org -DVRDNS is another name for DynDNS the dynamic networking service.  No information on infoview2u

dfw01.corp.akamai.com – An internal domain related to Akamai, the well-known internet technologies company.  Several Autonomous System Numbers (ASNs) associated with Akamai (e.g., AS18680) are registered as Akamai DFW Technologies Inc. (source)

hq.gmail.com – quick analysis didn’t reveal any intelligence on this domain but clearly related to the largest consumer email service run by Google, gmail.

dlink.com – Well-known network equipment manufacturer

test.com – Domain related to online certification and assessment company Gauge.