Practical Queries for Identifying Malware Infrastructure - Part 2

Threat Intelligence Queries with Censys.

Practical Queries for Identifying Malware Infrastructure - Part 2

This is a continuously updated list of interesting practical Censys queries.

Remote Access Hosting MZ Files

labels: remote-access and services.http.response.body:"This program cannot be run in DOS mode"

Darkgate Hosting Servers

autonomous_system.asn: 210644 and services.http.response.headers: (key: `Content-Transfer-Encoding` and value.headers: `binary`)
services.http.response.headers.content_disposition:*.xll
services.http.response.body_size=[45000 to 55000] and services.http.response.body:"This program cannot be run in DOS mode"
services.banner:"Autoit3.exe"

Possible Balada Malware

Based on tweets 1 and 2

services:(http.response.body="404 Not Found" and port:443 and tls.certificates.leaf_data.subject.common_name="*.*.com" and tls.certificates.leaf_data.issuer.organization="Let's Encrypt" and not tls.certificates.leaf_data.subject.common_name="www.*.com" and http.response.headers: (key: `Server` and value.headers: `nginx`) ) and services:(port:80 and http.response.headers: (key: `Server` and value.headers: `nginx`)) and not services.port:[1000 to 65000] and services.port:22 and not services.http.response.html_title:*  and not dns.reverse_dns.names:* and dns.names:*.*.com

Amadey/Rhadamanthys

Link - Based on tweet.

services.port:22 and services.port:80 and not services.port:[100 to 65000] and operating_system.vendor="Ubuntu" and not dns.reverse_dns.names:*.* and services.http.response.body_hash="sha1:7dd71afcfb14e105e80b0c0d7fce370a28a41f0a" and services:(software.vendor="nginx" and software.version="1.18.0" and software.part="a") and services.software.vendor="OpenBSD" and not autonomous_system.name:"AMAZON*" and not labels: `ipv6` and location.continent="Europe" and (autonomous_system.name="ALTAWK" or autonomous_system.name="AS_DELIS")

PikaBot Somethings

Re-used HTML title, common tags and long locality names in certificate.

services.http.response.html_tags="Caseking | Gaming PC & Computer Hardware Online Shop\n"

services.labels="amazon-pay" and services.labels="zendesk" and services.tls.certificates.leaf_data.subject.locality="* *" and not services.tls.certificates.leaf_data.issuer.organization="CloudFlare, Inc."

Solarmarker C2 Servers

services.http.response.status_reason="NOT FOUND" and not services.port:[81 to 65000]  and services.http.response.body_size:0 and services.port:22 and ecdsa-sha2-nistp256