RSS Feed

Look for traces of APT attacks through the ZoomEye history api


Author: Heige(a.k.a Superhei) of KnownSec 404 Team 
Date: May 25,2020

Chinese version:

We had released ZoomEye’s historical data API query interface in ZoomEye 2020 that had launched in January this year: Next, I will introduce some examples of using ZoomEye History API to capture the traces of APT team attacks.

Instructions for using the historical query API interface: ,Of course we have also updated our ZoomEye SDK support history api:

Before the cases are explained, I must explain the ZoomEye online data update mode again: it is the overwrite update mode. Many malware teams, including many apt teams, will abandon the C2 server immediately after it is discovered. So this also causes the data on ZoomEye to be cached without being updated and overwritten.

The first case is about Darkhotel APT group

I have already mentioned it in this tweet, of course, here needs to explain a "bug" in this tweet ,Although this “bug” has nothing to do with the issue discussed today : The vulnerability used in this attack should be CVE-2019-1367 instead of CVE-2020-0674 (Here we need to thank the friends who discussed together)

In this Darkhotel attack, they attacked the ip website service and implanted ie 0day to carry out Watering Hole attack. So we queried all historical data of this IP on ZoomEye:

List all scan time records and ports about this IP

Query the time and port of the IE 0day implanted into the Watering Hole attack :

It turned out that this Watering Hole attack continued from at least '2019-10-06 05:24:44' to '2020-01-28 10:58:02' , This also shows that Darkhotel APT group attacked this IP website as early as 2019-10-06.

We continue to analyze the port service of this IP in 2019 :

Very typical Tomcat-based JSP operating environment, and once opened 8009 ajp port. Many attack events prove that tomcat manages weak passwords, security vulnerabilities and other issues, making security very vulnerable,Perhaps this is also the method used in this attack.

The second case is about APT-C-01(a.k.a Green Spot)

Qi An Xin Threat Intelligence Center released a detailed analysis report on APT-C-01 in 2018: (En)

"The loader program will first try to connect to a common URL to check network connectivity. If there is no connection, it will try to connect every five seconds until the network is connected. Then it downloads the payload from hxxp://"

We put our focus on the payload download URL hxxp://>,Through the ping command, we can no longer find the IP address of this domain name resolution :

From the Chinese version of the report, we see a screenshot that shows that can opendir

This means we can find the target by searching "tiny1detvghrt.tmp" on ZoomEye ,Very lucky we found it :

Once again, after the APT attack was discovered, these IPs were directly abandoned.

We get the IP( of the domain( name and continue to query the historical records through the ZoomEye history api interface

Let's look at the time interval for tiny1detvghrt.tmp deployment : from at least '2017-11-21 19:09:14' to '2018-05-20 00:55:48'

Let's look at the time node before tiny1detvghrt.tmp deployment: 2017-10-04 05:17:38

From the file naming method and file size, it can be inferred that this time node, the attacker should be a drill before the attack.

Final summary

The cyberspace search engine is very useful in the tracking of cyberattack threats by using active detection methods. It rechecks the attacker's attack methods, purposes, and processes through the timeline of historical records. Finally, I would like to thank all the friends who support ZoomEye. As the world's leading search engine for cyberspace mapping, ZoomEye has been working hard!


本文由 Seebug Paper 发布,如需转载请注明来源。本文地址:

作者:江 | Categories:技术分享 | Tags: