Hunting random spy(ware) using Censys

While reading an article by the BlackBerry Threat Intelligence Team, I learned that Censys has developed two queries to identify both LightSpy and WyrmSpy C2 servers, which are associated with the APT41 espionage group.

Here are the Censys queries:

*Light spy*

services.software.uniform_resource_identifier: cpe:2.3:a:lightspy:lightspy:*:*:*:*:*:*:*:*

*WyrmSpy*
 
 services.software.uniform_resource_identifier: cpe:2.3:a:wyrmspy:wyrmspy:*:*:*:*:*:*:*:*

I then identified a pattern — you can see where I’m going: the term “spy,” which in our current cases, appeared in the services.software.uniform_resource_identifier field of both C2 servers. Using the C2 filter proved to be the right choice.

I created and tested these simple queries on Censys:

"spy" and labels: c2

"spyware" and labels: c2

Regarding the first query ("spy" and labels: c2), it returned 11 results.

Here is a ranking of the threats found:

+-----------------------------------+---------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| **Threats (4)**                   | **Occurrences (11)** | **Context**                                                                                                                                                                         |
+-----------------------------------+---------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| XploitSPY (aka Spy-Agent malware) | 6                   | XploitSPY is a surveillance software that tracks mobile activities, such as calls, messages, and app usage. While marketed for parental control or employee monitoring, it can be misused for illegal spying if used without consent. |
| [Undetermined Spy]                | 2                   | Context difficult to find around these IPs. We will not address this.                                                                                                               |
| AsyncRAT Server                   | 2                   | AsyncRAT Server is a remote access tool designed to control systems asynchronously, often used for administrative tasks or, unfortunately, for malicious activities if misused.    |
| Cobalt Strike Server              | 1                   | Cobalt Strike is a penetration testing tool used to deploy a stealth implant called Beacon, which can execute commands, escalate privileges, and move laterally via C2 communications like HTTP, DNS, etc. Although originally legitimate, it is often misused by cybercriminals for advanced attacks, including data theft and ransomware deployment. |
+-----------------------------------+---------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

AsyncRAT is part of the identified and confirmed threat category derived from the “spy” keyword.

By focusing on this specific threat, several pivoting techniques can lead to a highly reliable Censys query, allowing for the discovery of new malicious C2 servers associated with the AsyncRAT tool.

Censys query to find malicious AsyncRAT C2 :

((((services.software.uniform_resource_identifier="cpe:2.3:a:asyncrat:asyncrat:\:\:\:\:\:\:\:\")
) and labels=file-sharing) and labels=c2) and labels=open-dir

Next, I tested the following search:

"spyware" and labels: c2

At the time of the test, it returned two results:

A web search allows pivoting to post X from an analyst who flagged these IPs as C2 panels for the Byakugan malware:

According to an online report from JOESandbox, one of the IPs found (89.117/) is used to distribute the PDF Reader_PDF_2024.exe.

+-----------------------------------+---------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| **Threats (1)**                   | **Occurrences (2)** | **Context**                                                                                                                                                                         |
+-----------------------------------+---------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+
| Byakugan                          | 2                   | Byakugan (E-Banking Trojan) is a multi-functional malware distributed through a phishing campaign using malicious PDF files. It details the infection vector, command-and-control infrastructure, and various capabilities like screen monitoring, mining, keylogging, and data exfiltration. The malware employs evasion techniques, persistence mechanisms, and utilizes legitimate tools like OBS Studio. |
+-----------------------------------+---------------------+-------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+

Indicators :

IOCs : 

**Spy-Agent malware 
IP - C2** 

78[.]153[.]130[.]157     

**AsyncRAT
IP - C2**

198[.]154[.]99[.]162
78[.]162[.]164[.]147
45[.]135[.]232[.]38
109[.]199[.]101[.]109

**Cobalt Strike 
IP - C2** 

139[.]59[.]45[.]226

**Byakugan
IP - C2** 

89[.]117[.]72[.]231
31[.]220[.]98[.]29
Sample name : Reader_PDF_2024.exe
MD5 : f3597861327b985e3fd109c1bf44eda1
SHA1 : 587838a9242d3b8b063e07427fa95f900aa0842b
SHA256 : e8a8473c1e01688d370bbb1968b6361264c56a65ddbb31f8278ac618618f4efa

Conclusion

We hunted for random “Spy(ware)” at a specific moment in time, but we could have easily encountered other types of spyware at another point. This exercise should be seen as just the beginning — both educational and enjoyable. The ultimate goal is to uncover elements related to the infrastructure of a verified threat. Today, our investigation into “Spy(ware)” mainly led us to AsyncRAT as a confirmed threat, but tomorrow it might very well be another threat altogether.

Thank you for reading!