New Techniques: Uncovering Tor Hidden Service with Etag

This investigation was conducted mainly through publicly available Open source intelligence services such as Shodan, as well as through underground community sources. The related server has already been shut down, and the person believed to be the suspect has been indicted, which prompted the release of the report. The de-anonymization method using Etag is almost unknown to the public, and I believe that it is a valuable contribution to the community.

First created: November 12, 2020 (TLP:RED version, for law enforcement)
Published version: June 13, 2023 (TLP:WHITE version)

Intro

Ragnar Locker, a well-known ransomware group, attacked the video game company Capcom, claiming to have stolen one terabyte of data. Capcom refused Ragnar Locker’s demands, and 67 GB of the stolen files were published on the Dark Web.

RagnarLocker's leaksite

Research

This leak site contains only a link, not the files themselves. Instead, there is a dedicated Onion address for hosting files such as the leaked data, which seems to have been prepared by the operator of Ragnar Locker. The files themselves were split into multiple files and hosted on an Onion address starting with t2w…, as shown in the image below.

Onion address with leaked data file name

Direct access to this Onion address resulted in an empty page, which led me to speculate that it was an address dedicated to hosting Capcom’s leaked data. As of the time of writing this report (November 12, 2020), the author has confirmed no evidence that the address was used for anything other than hosting Capcom’s leaked data.

Empty page and response header

Generally, when finding the origin IP address of a website on the Dark Web, the source code of the website, SSL certificate, response headers, etc. are checked to obtain unique character strings and fingerprint information, and then scanning services such as Shodan, Censys, etc. are used to search for the IP address. In many cases, scanning services such as Shodan and Censys are used to find IP addresses, but in this case, I couldn’t obtain information such as the source code of the website.

Then, I checked the response headers. Scanning services acquire response headers in addition to the source code. Therefore, if the response header contains a unique string, it may be possible to obtain the origin IP address.

HTTP/1.1 304 Not Modified
Date: Wed, 11 Nov 2020 17:09:12 GMT
Server: Apache/2.4.6 (CentOS) mpm-itk/2.4.7–04 OpenSSL/1.0.2k-fips PHP/5.4.16 Connection: Keep-Alive
Keep-Alive: timeout=5, max=100
ETag: "0–5a4a8aa76f2f0"

I tried searching in the Server header and other places, but could not narrow down the search as much as I would have liked, probably because it was not a unique string. After checking to see if there were any other areas that could be used to narrow down the search, I thought that the ETag information in the response header could be used for identification.

ETag is information contained in the response header, which is generated for each content and sent to the browser as part of the response header. Using Shodan, I searched for ETag information 0–5a4a8aa76f2f0 and found one hit.

Shodan's search result

If you try to access the IP address directly, you will see a empty page, just like when you access the t2w5by… .onion address directly.

*An aside: In this research, I learned how important it is to understand how services such as Shodan and Censys scan and store information and what information they can retrieve when using scanning services.

Empty page same as onion address

I checked the response headers and found it to be the same ETag; the reason for the other headers such as Server not matching is unknown.

Etag information in response header

I tried to download a file with the same name on the Onion address and on the IP address, and confirmed that the file with the same name was located as shown in the image below. So, it can be said that the origin IP address of the Onion address of t2w5by….onion is 5[.]45[.]65[.]52.

*In fact, I wanted to download the file and check the hash to get the final confirmation, but due to various problems, I did not do so.

Same file is exist in both Onion address and Origin IP address

Result

From the Onion address (t2w5by… .onion) that hosted Capcom’s compromised data, an research using Etag information revealed the origin IP address (5[.]45[.]65[.]52). For example, if local law enforcement obtained this information, they could potentially seize the server and use it in their investigation.

Later, from the FBI Flash Report, 5[.]45[.] 65[.]52, an IP address that is mentioned in the FBI Flash Report. It does not mention any further information about this IP address, but as the reseach indicated above, it was used as the server to host the Capcom’s compromised data.

Special Thanks

I’d like to thank Hoi Myong of the Cyber Defense Institute and John Fokker of Trellix for their assistance in this research, and more thanks for the international law enforcement agencies that conducted the investigation into this information.