Yandex.ru and Intrusion Investigations

Forensic Thoughts
Quite often I notice that unauthorized actors who compromise RDP access will execute a native web browsing application and navigate to a website such as whoer.net to enumerate browser header information, IP address, ISP, and a smattering of other host identification information.  In reviewing these cases with forensic tools, I would also quite often see a hit for https://mc.yandex.ru/metrika/watch.js.  Observing a .ru domain hit usually raises my suspicion level a bit, but I could not understand the context because there are not normally other .ru domains found during my investigation.  A little commonsense and research confirmed that “metrika” is Russian for “metric” and that examination of watch.js appears to reveal a web metric monitoring/tracking capability similar to Google’s Analytics reports offered to webmasters via its tracking code (https://support.google.com/analytics/answer/1032385?hl=en).   I…
Read More