ZoomEye Behavior Mapping For Office Word 0day (CVE-2021–40444) Original Attacker

Share on facebook
Share on twitter
Share on linkedin
Share on reddit
Share on email

Author: Heige (a.k.a Superhei) of KnownSec 404 Team https://twitter.com/80vul 09/12/2021

[Note: The ZoomEye search data in the article is based on the results of the query on September 11, and the target data has been overwritten and updated]

Before starting the article, please read the following articles to facilitate understanding of related theories:

“Behavior Mapping” in Cyberspace https://80vul.medium.com/behavior-mapping-in-cyberspace-one-net-cleans-apt-and-botnet-c2s-ed49a9b7d426
One ZoomEye Query Cleans BazarLoader C2s https://80vul.medium.com/one-zoomeye-query-cleans-bazarloader-c2s-4b49a71ec10d

For related information about CVE-2021–40444, you can refer to the security bulletin issued by Microsoft: https://msrc.microsoft.com/update-guide/vulnerability/CVE-2021-40444 Our purpose is to carry out the survey and mapping of the organization that used this 0day to attack in the first place, so we can start with the information related to the attacker’s IOCs at the time. We noticed that Trend Micro security researchers have released relevant information:

https://www.trendmicro.com/en_us/research/21/i/remote-code-execution-zero-day–cve-2021-40444–hits-windows–tr.html

From their article, I saw the C2 server used by the attacker at the time:

hxxps://joxinu[.]com
hxxps://dodefoh[.]com
hxxp://pawevi[.]com/e32c8df2cf6b7a16/specify.html

Let’s search with ZoomEye: https://www.zoomeye.org/searchResult?q=dodefoh.com%20joxinu.com%20pawevi.com Fortunately, I found the corresponding data results. The relevant information is extracted as follows:

IP:45.147.229.242 Germany, Frankfurt, Operator:combahton.net
ZoomEye Update time:2021–09–06 22:01
CobaltStrike Beacon:
C2 Server:

Read the article