Hunting “Legit” Red Teams C2 Infrastructure

Michael Koczwara
4 min readSep 18, 2021

There is legit looking website


However, if you pay attention there is one interesting detail here. The website logo/name (Model/Remodel) is not matching with URL: facilities-awareness[.]com

Categorized as Real Estate according to Cisco Talos.

Let's investigate the domain and IP address.

Looks like the website is behind Amazon Cloudfront and the IP address is 13.249.22[.]98

Let's check the domain with VirusTotal. Fortinet is flagging the domain as malware.

VT Analysis

Let's check now DNS and let's focus on these IP addresses only:

  • 13.249.135[.]21
  • 13.249.135[.]4
  • 13.249.135[.]82
  • 13.249.135[.]127
  • 64.69.57[.]212

13.249.135.xx looks like Amazon Cloudfront infrastructure.

VT Analysis

Let's investigate now 64.69.57[.]212

Looks clean but there are two files communicating with this IP address.

VT Analysis

Let's investigate further.

There is a facilitie-awareness[.]com domain and two executables marked as Cobalt Strike shellcode!