Brief introduction
This is an investigative article on ARL (Asset Reconnaissance Lighthouse System), a chinese reconnaissance tool spotted actively in use by chinese groups.
30/08/2023 The investigation is ongoing, and this page will update when more information becomes available.
Following is an excerpt from their github page:
It aims to quickly detect the Internet assets associated with the target and build a base asset information base. Assist Party A's security team or penetration testers to effectively scout and retrieve assets to discover existing weaknesses and attack surfaces.
Before starting to use, please be sure to read and agree to the terms in the disclaimer, otherwise please do not download and install the system.
Disclaimer
Posted by ARL Team on Github
If you download, install, use or modify this system and related code, it means that you trust this system. We do not assume any responsibility for any form of loss and injury to yourself or others caused by the use of this system. If you have any illegal acts in the process of using this system, you shall bear the corresponding consequences, and we will not bear any legal and joint liability. Please be sure to carefully read and fully understand the content of each clause, especially the clause that exempts or limits liability, and choose to accept or not accept. Unless you have read and accepted all the terms of this Agreement, you are not authorized to download, install or use the System. Your downloading, installation, use, etc. are deemed to have read and agreed to be bound by the above agreement.
Feature Set
The ARL tool is a tool developed for Linux, according to the github pages. It supports the following features:
- Domain name asset discovery and organization
- Inventory of IP/IP segments
- Port scanning and service identification
- WEB Site fingerprinting
- Asset grouping management and search
- Task policy configuration
- Scheduled and periodic tasks
- Github keyword monitoring
- Domain name/IP asset monitoring
- Site change monitoring
- Risk detection such as document leakage
- Nuclei PoC call
The technology is mostly Python based, and seems to be maintained mainly by a team based in shanghai / china
The tool has been spotted performing recon on domains & subdomains on TLS & non-TLS services (Port 443 & 80), often clinging to a specific domain, and running a dictionary attack for known subdomains & paths on the domain.
Here is a full description of their tasks, and what they can do.
| # | Options | Description |
| 1 | Task name | Defines the task name |
| 2 | Mission Objections | Task objectives, support IP, IP range, and domain name. Multiple targets can be delivered at once |
| 3 | Domain blast type | For domain name explosion dictionary size, large dictionary: commonly used 2,<> dictionary size. Testing: A few dictionaries, commonly used to test whether the function is working properly |
| 4 | Port Scan Type | ALL: All ports, TOP1000: common top 1000 ports, TOP100: common top 100 ports, test: a few ports |
| 5 | Domain Name Bruteforce | Whether to enable DNS Bruteforcing |
| 6 | DNS Dictionary Intelligently Generated | Generate dictionaries based on existing domain names for spraying |
| 7 | Domain Name Lookup Plugin | 12 supported data sources, including alienvault, certspotter,crtsh,fofa,hunter |
| 8 | ARL history queries | Query the ARL historical task results for this task |
| 9 | Port Scaning | If port scanning is enabled, 80,443 will be detected by default if the site is not enabled |
| 10 | Service identification | If the service is identified, the firewall may block the service and the result will be empty |
| 13 | Skip the CDN | For IPs that are determined to be CDNs, the ports will not be scanned and 80,443 ports are considered open |
| 14 | Site identification | Fingerprint the site |
| 15 | Search engine calls | Use search engines to search for URLs and subdomains to crawl the corresponding URLs |
| 16 | Site crawlers | Use static crawlers to crawl the URL corresponding to the site |
| 17 | Site screenshot | Take a screenshot of the site's homepage |
| 18 | File leakage | If you detect file leakage on a site, WAF will block it |
| 19 | Host collision | Detect improper configuration of vhost |
| 20 | Nuclei call | Call nuclei default PoC to detect the site, which will be blocked by WAF, please use this function with caution |
The features of this tool are extensive, with Site Crawlers, fingerpriting, skipping CDNs, and more. The tool has been spotted fingerprinting & crawling multiple sites, the actors using this tool are currently unknown, but it seems it could be used actively by Initial Access Brokers (IAB) to quickly identify & index potential targets.
Indicators of Use
There are a few indicators that give away the usage of the tool. One is the SHA1 hash posted by Michael Koczwara: sha1:465811beb4dab8e1df19cf2ad3ed92bfd2194de2
Other indicators may include the header of the website (seen in either Shodan or Threatbook) including the title "ARL" or "资产灯塔系统" (Asset Lighthouse System in Mandarin)
Other Sightings
A report by DuskRise shows that the Naikon APT has been known to utilize this tool in their arsenal all the way back in 2022, and it seems it's back on the rise. Michael Koczwara, together with censysio, also started tracking the infrastructure of this tool in January 2023, and spotted over 1.000 malicious infrastructures running the ARL SHA1 hash.
Risk Level
🟡 MEDIUM-LOW
Reconnaissance happens constantly, but with this tool having been utilized actively by the Naikon APT, and Access Brokers getting more agressive as we see a 13% rise in ransomware attacks year-over-year from 2021, any advanced recon activity should be monitored, and ingested into Intelligence for further enrichment, if part of current Intelligence Requirements. Continued advanced reconnaissance will bring up the risk level, and you should act accordingly within your organizational bounds.