Cybercriminals generally need to use online servers, be it to collect stolen data, communicate with an infected machine via malware or host phishing pages. One of the common techniques used by these threat actors to try to add a strong layer of anonymity consists of using The Onion Router (Tor) network to hide the location of their servers.
Ransomware threat actors in particular, who know they attract a lot of attention and that their activities are tracked and investigated by both security researchers and law enforcement agencies, make a heavy use of the Tor network.
When used appropriately, Tor provides a fairly strong layer of anonymity, but it can also be badly configured and leak information that can be used against fraudsters.
SEE: Password breach: Why pop culture and passwords don’t mix (free PDF) (TechRepublic)
It is important to note that servers hosted on the Tor network are just typical servers hosted on the Internet — users are merely accessing them via a special network.
How to de-anonymize fraudulent Tor web servers
Cisco Talos published new research that exposes three different ways to get more information and de-anonymize domains hosted on the Tor network and used by ransomware threat actors.
First method: Certificate matching
Transport Layer Security is a protocol used for end-to-end encryption between computers on the Internet. Typically, it is the protocol used when establishing HTTPS communications. To do so, the web server the user accesses needs a TLS certificate, which is provided when communicating. Such a certificate contains some information that can be tracked and used to investigate.
Some ransomware threat actors actually use those certificates for their websites, making it possible to investigate and possibly find matches in the surface web (Figure A).
If a TLS certificate from a threat actor is indexed on the surface web, it will lead to the web server that is using the Tor network so the hosting is fully de-anonymized. It might also lead to other content from the same threat actor, which is also valuable for further investigation.
With the help of something like the Shodan online service, which indexes information from the Internet, including TLS certificates, it becomes easier to investigate.
Second method: Favicon matching
The favicon is that tiny icon that users see in the browser’s URL bar when browsing a website or looking at their bookmarks list (Figure B).
Once again, using Shodan, it is possible to match favicons found on a fraudulent website hosted on the Tor network with favicons on the surface web.
The Quantum ransomware group is taken as an example by Talos researchers (Figure C).
Using its favicon from the dark web, they found its equivalent on the surface web and could locate the threat actor’s web server (Figure D).
Third method: Catastrophic OpSec failures
OpSec failures can lead even the most skilled actor to leak data from its infrastructure.
Talos notes that the Nokoyawa ransomware group did not secure some of its scripts properly, which allowed the researchers to exploit a directory traversal vulnerability. Basically, this consists of using a parameter sent in the URL of a HTTP request to gain access to a folder or file that should normally not be exposed on the Internet.
That failure, in addition to improper directory and files permissions, allowed the researchers to see through the anonymity of the threat actor by accessing /var/log/auth.log* directly on the Linux server hosting the web content. That file, once analyzed, revealed IP addresses used by the attackers to connect to the server via the SSH protocol.
Investigating and collecting threat intelligence on Tor-hosted networks is a difficult task, yet in many cases the Tor network does not provide 100% secure anonymity to its users. It needs a strong network and operating systems knowledge to use those services without making any mistakes.
By using different investigative techniques, including those exposed in this article, it is possible to de-anonymize some fraudulent servers and obtain information about the threat actor itself.
Disclosure: I work for Trend Micro, but the views expressed in this article are mine.