By Gabor Szathmari
One interesting offshoot of researching .gov.au websites running outside Australia was an odd service running from Russia. How the Service NSW – a website offering government services online – ended up associating with a Russian datacenter?
According to this Shodan query, the domain name
mta.comms.service.nsw.gov.au (an email server belonging to Service NSW) appear to be hosted on the IP address
The GeoIP database shows that this IP (220.127.116.11) belongs to Selectel, an IT company with six data centres in Moscow and St. Petersburg.
What is going on here?
Before anyone gets excited, there is no direct association between Service NSW and Russia. The reality is more boring, but with a clever twist.
Links to banking malware
According to Hybrid Analysis report from earlier, the IP address
18.104.22.168 was associated with a phishing campaign.
The phishing campaign featured a Word document with a malicious payload trying to download a banking trojan on the victims’ computer. The screenshots of this Word document with the malicious payload indicate that the campaign was targeting NatWest (UK bank) customers.
An additional search reveals that the Russian IP address is (was) associated with a banking trojan called Trickbot. This piece of malicious software was developed in 2016 with the sole purpose of stealing from bank accounts, Bitcoin wallets and downloading other harmful code to the victims’ PC.
According to Vulners, the IP (22.214.171.124) appears to be a ‘Command and Control’ (C2) server, which is an important network infrastructure element to control and operate the botnet.
How Trickbot is related to Service NSW?
The last remaining question is, what Trickbot has to do with the NSW Government? If we do a reverse DNS lookup on
126.96.36.199, it resolves to
The answer is that it is a clever attempt to disguise any communication between the infected PCs and the Trickbot C2 server (188.8.131.52) on corporate networks.
Big companies usually monitor and log network traffic originating from their internal network. If a security analyst drills into the network logs to identify covert communication channels between the corporate network and C2 servers on the Internet, a reverse DNS lookup on
184.108.40.206 will result in the innocuous-looking domain name
mta.comms.service.nsw.gov.au seemingly belonging to a government-run website.
As DNS records for reverse DNS lookups are managed by the hosting provider (Selectel in this case), the malware operator may choose any arbitrary hostname to deceive security analysts.
This is confirmed when we visit
http://220.127.116.11. The website on this IP address seems to belong to a chemical company based in Russia. The website is hosted on WordPress, which was likely to be hacked and turned into a Command and Control server for the banking malware.
Security analysis should not always trust reverse DNS lookups when hunting for malware. As this example shows, the operators of Trickbot were actively trying to evade detection by disguising the Command and Control IP address as a legitimate NSW Government service.
What Service NSW can do in this situation is contacting either Selectel or RU-CERT to have the deceptive reverse DNS record removed.