Summary up front:
This document shows how I’ve been using Silent Push to track SmartApeSG. These are repeatable steps that an analyst or enthusiast can follow to do the same.
Table of Contents
PRE-GETTING STARTED:
I haven’t posted in a while because I had some stuff going on, so I had to take a pause on posting about the things I research at home. Before I forget, here’s a little blurb just in case you were wondering if I perform research during my personal time (I do – I spend a copious amount of time at home performing research) using personally-acquired resources (I do, I use free and inexpensive resources that I pay for with my own money)!
THE CONTENT, VIEWS, AND OPINIONS EXPRESSED ON THIS DOCUMENT ARE MY OWN AND DO NOT REFLECT THOSE OF MY EMPLOYER OR ANY AFFILIATED ORGANIZATIONS. ALL RESEARCH, ANALYSIS, AND WRITING ARE CONDUCTED ON MY PERSONAL TIME AND USING MY OWN PERSONALLY-ACQUIRED RESOURCES. ANY REFERENCES, TOOLS, OR SOFTWARE MENTIONED HERE ARE LIKEWISE USED INDEPENDENTLY AND ARE NOT ASSOCIATED WITH, ENDORSED, OR FUNDED BY MY EMPLOYER.
With that out of the way, I’M BACK! ALOHA KAKOU! ALOHA MAKOU!
Intro:
I’ve been using Silent Push for a little over a month to track SmartApeSG, and I’ve been pretty stoked about it. I’ve been using it to find SmartApeSG domains as IoFAs. I just saw Silent Push post this LinkedIn post, and this X post, so I took it as a sign that there is no time like the present to share my monitoring TTPs!
I’m a big fan of the concept of Indicators of Future Attack (IoFAs). Silent Push discusses it here. Back in April I had started SocGholish Research. It was cool. I got help from Monitor SG, and I was learning a lot. I started wondering if there was a way to find SocGholish domains before the IOCs were disseminated. It’s possible to find SmartApeSG domains that haven’t been published as IOCs with Silent Push. You should view the Silent Push posts on SmartApeSG as a primer if you don’t already have a working knowledge on SmartApeSG because this will mostly focus on the queries I use in Silent Push to find the domains.
Getting started: Find a reported SmartApeSG domain
How can this be accomplished with Silent Push? First, let’s get some IOCs. My go to resources for Fake Update IOCs are Monitor SG’s Mastodon feed, Proofpoint’s ET Open Suricata Rules, and Threat Fox. The simplest method might be to check Threat Fox here: https://threatfox.abuse.ch/browse/tag/SmartApeSG/.
Here’s a snip of IOCs from early to mid-August – courtesy of the real MVP: @monitorsg. I’ll only be using the domains.
Searching IOCs via Web Scanner:
With your free Community Edition from Silent Push, you can search for these domains in using Web Scanner. If you’re following along, we are currently in the fingerprinting phase. We want to look for patterns that could be used to detect other domains. We want to go from IOCs to IoFAs. You can use the “One of” operator to search a list of domains.
Here is a snip of the results below:
Here’s a quick note on my output because it’s different than the default. I’ve modified the default columns. You can do that by clicking the columns icon next to the Basic Raw Data button. From there you can enable or disable the columns to display, and you can click and drag the column headers to modify the order.
I’ve moved ssl.subject.common_name to be next to the url column because I’ve found that some SmartApeSG scan results will show domain A is using domain B’s cert, so it helps to identify additional infrastructure. I can’t recall if geoip.asn was there by default, but it’s another helpful column to keep in view in order to observe ASN patterns with the results.
Here’s a snip showing how barelytherejewels and alphawatchrmf are both using the focussecurevideo cert. Also note how the ASNs are generally the same. They change periodically, but SmartApeSG will use the same ASN for a period of time, and that can be used for monitoring.
Finding patterns:
Note in the snip above that the htmltitle is “crome” in July, and then in the first results snip, it was “Job Board”.
Here’s a little thought detour into the Job Board template:
Previous templates: Job Board
During research, I observed that the SmartApeSG domains used the same template. I did a Google image search.
It appears to be the “Job Board 2 – Recruiting Agency HTML Template” like the one here: hxxps[:]//lifeinsys[.]com/item/job-board-recruiting-agency-html-template
You can use the Compare feature in Silent Push to find similarities and differences. I use the more recent results (Job Board). To do this, select the two results you want to compare. Then, click the Compare button in the top-right. I specifically chose the results with different IP. SmartApeSG appears to add two domains at a time per IP. I’ve observed sometimes they have more than two domains responding on a single IP. I suspect they are using the same IP in order to have redundant domains up while the domain in use gets burned.
I like to focus on the similarities first:
You can skim through the list to see that there are a few specific similarities we can use to search for more infrastructure. The fields I first started with were the matches on the header.server, html_body_ssdeep, the htmltitle, the origin_geoip.asn, and the ssl.issuer.organization; as seen below.
Applying the fingerprint to the query:
You can go back to the results, and add each of these values to the simple query builder to find additional infrastructure. Go back to the results and click the Expand link that is floating to the right of each result.
Next, click each field value you want to add to the query, then click the Equals option in the Add to Query popup.
After it’s added, you’ll get a confirmation toast:
After you’ve added all of the new filters, you’ll want to remove the initial domain filter, so that we can find other domains. It should end up to be something like below:
This will give you great results, as seen below:
You can see from the results below that one IP appears to be favored. Later we can add a query to monitor IPs.
Measuring success:
I’ve observed that Monitor SG publishes IOCs first the most consistently. There are other great key players that might publish IOCs before him here and there, but it is mostly Monitor SG that I observe publishing them first. With that, I use Monitor SG as the measuring stick. Using Silent Push, I was able to find them a few days earlier. I didn’t always post the IoFAs, but the snip below shows I had posted it almost 24 hours prior to Monitor SG on one occasion. This kind of validates the value of this. I think the output from this activity could be used to implement countermeasures ahead of the domains being used.
The next problem: What about when they change it up?
I’ve observed one change-up so far. It appears that SmartApeSG has changed from using the Job Board template to “Activitar | Template”, it looks like they are (or were) transitioning to other ASNs (202015 HZ-US-AS (30AUG24), and 3356 – LEVEL3, US (09SEP24)), the web server has changed from nginx to Apache. Also, in this document we’ve been using the title, but I previously used the favicon MD5. I had to change from using that to using the HTML Title because the new template does not have a favicon listed in the Silent Push results.
Before we get into the query, let’s take a gander at the template and see if we can find where it comes from. Here’s the URL to the photo from the Silent Push X post: https://x.com/silentpush_labs/status/1835797849478447240/photo/1. Here’s the URL to the image resource that we can paste into a Google image search: https://pbs.twimg.com/media/GXoB6vAXEAAZjQ1?format=jpg&name=large. On second thought, we can just click the Google Lens button since I’m using Chrome at home:
That shows us a good match for the Assertion101 Writeup result:
Clicking that first result expands the 9 other results:
That snip shows us it may be a template, but it may also related to some kind of hacking write-up. It looks like it’s VulnHub VM:
https://www.vulnhub.com/entry/assertion-101,495
It’s pretty interesting that the template they chose was related to a Vuln Hub VM. I wonder if this is intentional or just by chance. It would be cool to monitor for the next template they use to see if it is also hacking related. We’ve digressed for far too long and we need to get back to the query.
First, you need to know when it’s changed. For this, I think I first realized it changed after Monitor SG posted an IOC for a domain I wasn’t tracking. I can’t recall which one it was, but this just highlights why it’s important to monitor the threat feeds. You can fingerprint the threat actor to find the new domains ahead of time, but it may become moot when they change it up.
Here’s the new query to find both:
There are a couple of things to note from the snip above. First, you will run into an issue if you try to replicate this in Simple Search. For some reason, you can’t use the One of operator for the geoip.asn using the Simple Search, for it is not an option, as seen below:
I suspect that this is because it is saved as a numerical value instead of a string. You’ll have to use the Advanced Search to overcome this. Click the Advanced Search tab, then click the Edit Web Scanner Search Form button:
Next, copy the query as seen below:
htmltitle = [“Activitar | Template”, “Job Board”] AND geoip.asn = [202015, 29802, 3356]
That’s how to accomplish that. Next, you may have noticed it’s a saved search. It is a saved search that I have. The name is SmartApeSG by title, and then the description is below that. You can create a saved query by clicking the Save button in the top-right:
Next, you can add the meta data and save it:
After you’ve saved it, you can access it from the My Searches button in the top-right.
Click the Saved tab, then click to populate your saved search:
Voila! I only have access to the free Community Edition, but it looks like you’d be able to set this as a monitored query as seen as an option in the snip below:
IP observation: SmartApeSG rotates domains through a limited set of IPs
I’ve observed that the SmartApeSG actors will point new domains to existing IPs. The IPs appear to be used specific to SmartApeSG. Because of this, you can track new domains by monitoring the existing IPs. This is my current query to monitor this behavior:
Here is the results page that you can use to make some observations with:
The first observation is that the recent searches return results from the ASNs 3356 and 202015. I scrolled down to find the last result for ASN 29802, and it looks like the last scan was on 07SEP24.
The next observation is that the web servers may be specific to the host they use because it is different per ASN.
You could take those observations and add them to your monitoring query as you see fit. Even if they don’t apply to SmartApeSG, you could apply it to tracking other threats.
Applying the concepts: Other Fake Update delivery methods
For SocGholish delivery research, I applied these same concepts. You could repeat these concepts for monitoring SocGholish. Within the past month, I’ve observed that the Keitaro TDS domains and Parrot TDS domains used to deliver SocGholish appear to use the same IP respectively. Keitaro TDS appears to rotate frequently, while the Parrot TDS IPs stayed constant for a good amount of time. I believe you could use this knowledge to gain IP IoFAs by monitoring the known TDS domains.
Application of IoFAs: Preventative measures
I believe an organization could possibly prevent SmartApeSG by a few ways. At the network level, an organization can improve their security by blocking the IPs and domains at their perimeter IPS, they could add the IoFAs to a DNS Sinkhole implementation, and an organization could also create rules for their IDS using the IoFAs. At the host level, the IoFAs could be added to a blacklist for the EDR (or XDR or whatever extreme name you use). Additionally, these IoFAs could be theoretically added to a SIEM that is being used.
Pre-summary notes: Check out the Silent Push Tutorials
Silent Push has tutorials that cover the concepts discussed in this document. The Silent Push tutorials are located here. They’ve got other hidden gems of knowledge, so I recommend taking a look around at their resources. Also, the Community Edition gives you 50 queries a day – just in case you were wondering.
Summary:
This document shows how I’ve been using Silent Push to track SmartApeSG. These are repeatable steps that an analyst or enthusiast can follow to do the same. If you’ve made it this far – Mahaloz, I hope this document will benefit you in your future endeavors. ALOHAZ!