Identifying Laplas Infrastructure Using Shodan and Censys
Quick identification of Laplas infrastructure by utilising Shodan and Censys.
Various queries for locating potential Laplas Infrastructure. Based on an IP found in a Laplas sample from Malware Bazaar.
The full list can be found at the end of post.
Links to relevant existing research by OALABS and Chris Duggan. Chris in particular has some work that is very similar to this.
Searching this ip in shodan reveals a server that redirects to
laplas.app reveals 27 servers. Each server appears to be a redirector to the main Laplas site.
laplas.app in Censys reveals 22 servers. Two of which were not in the original Shodan list.
31.42.176[.]127 contains a reference to
CN=Laplas.app. This result appears to be the primary server.
Searching for the common name of
laplas.app does not reveal additional infrastructure. Only the initial result of
31.42.176[.]127 was found.
Of the 22 results with Censys, No other common names were available that could be used for pivoting.
Only one Jarm hash was available. This was a common Jarm fingerprint with around 205K results and hence was not useful for pivoting.
Complete List of Potential Laplas Stealer Infrastructure
Complete list of IP's based on searches for
laplas.app in both Shodan and Censys.
220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52 184.108.40.206 220.127.116.11 18.104.22.168 22.214.171.124 126.96.36.199 188.8.131.52