Researchers Hunted Malicious Stockpiled Domains Analyzing DNS Records
Malicious stockpiled domains are the sequence of domains that threat actors produce upfront for a lot of forms of future malicious activities like:-
- Phishing assaults
- Malware distribution
- Scams
- Unwanted Program distribution
- Malicious Search Engine Optimization (search engine optimization)
- Illicit protest material distribution
While all these domains have a tendency to be kept unused within the muse to evade detection, and then later they’re activated by the threat actors when desired to:-
- Exploit vulnerabilities
- Deceive customers
Lately, the cybersecurity researchers at Palo Alto Networks’ Unit 42 hunted malicious stockpiled domains whereas inspecting the DNS info.
Malicious Stockpiled Domains
Attacker automation leaves a lot of forms of traces in various info sources, which may perhaps perhaps well be detectable by security defenders in areas like:-
- Certificate transparency logs
- Passive DNS (pDNS)
Researchers venerable info bits to invent a stockpiled domain detector with benefits like wider malicious domain coverage and early detection.
Apart from this, they employed extra than 300 aspects to course of terabytes of information, in conjunction with:-
- Billions of pDNS
- Billions of certificates info
An unlimited info inappropriate on malicious and benign domains helped within the next key issues:-
- Status calculation
- Practising a Random Woodland ML algorithm
To detect the stockpiled domains, researchers procure the next six categories of aspects:-
- Certificate Capabilities
- Domain Title Lexical Capabilities
- Certificate Domain Aggregation Capabilities
- Certificate Status and Aggregation Capabilities
- pDNS and Certificate Aggregation Capabilities
- pDNS Status and Aggregation Capabilities
Greater than 9,000 malicious domains were detected by Unit 42’s detector in a redirection marketing campaign.
This detection fee reveals the superior capabilities of the detector that outperformed VirusTotal’s 31.7% detection fee. Unit 42 detected them 32.3 days earlier on life like.
No topic Cloudflare exhaust complicating pDNS ID, researchers traced random domain generation with shared characteristics.
Victims within the selling campaign faced redirection to adware or scam pages featuring:-
- Unsuitable notifications
- Clickbait classified ads
Per a epic by Palo Alto, a phishing marketing campaign used to be found that targeted customers in Italy and Germany. The detector found associated domains on this marketing campaign. Furthermore, there used to be one other marketing campaign that impersonated USPS. On this case, over 30 domains were venerable on the identical day between June 17 and August 28, 2023. The epic notes that these domains were registered and licensed below four certificates.
The aggregation of domains and synchronized creation point out automatic threat actor involvement. One marketing campaign with extra than 17 domains used to be desirous about high-yield investment scams, the exhaust of commonalities like-
- Certificate length
- IP address
Alternatively, all of the victims were lured with guarantees of uncomplicated cash, redirecting via pages and checkboxes to substantiate phishing.
Threat actors actively automate their setups in domain wars, but, the bulk registration leaves a lot of detectable traces. Alternatively, the success relies on defenders merging datasets to unveil malicious campaigns.
IOCs
Home dog Scam Example Domain
- Baronessabernesemountaindogpuppies[.]com
Malicious Redirection Campaign Domains
- Whdytdof[.]tk
- Pbyiyyht[.]gq
- Rthgjwci[.]cf
- Cgptvfjz[.]ml
- Thewinjackpot[.]life
Postal Phishing Campaign Domains
- Abschlussschritte-info[.]com
- Aksunnatechnologies[.]com
- 222camo[.]com
- Rothost[.]simplest
A Sample of USPS Phishing Campaign Domains
- Provide-usps[.]vip
- Provide-usps[.]wiki
- Provide-usps[.]ren
- Usps-redelivery[.]artwork
- Usps-redelivery[.]are living
USPS Phishing Campaign Certificate SHA-1 Fingerprints
- 18:FF:07:F3:05:A7:6A:C2:7A:38:89:C5:06:FD:D7:B8:D9:06:88:AB
- 89:29:97:5E:E9:F7:14:D9:95:16:9B:B3:74:33:0C:7B:D0:8F:98:30
- B6:74:45:84:0C:FF:81:05:C2:28:0F:EF:91:23:D8:A0:E8:ED:3A:2E
- 6A:21:31:8B:F4:0A:04:40:FA:37:46:15:A3:CE:1F:0A:C5:0A:93:C3
High Yield Funding Scam Campaign Domains
- Erinemailbiz[.]com
- Makemoneygeorge[.]com
- Natashafitts[.]com
- Julieyeoman[.]com
- Checkout.mytraffic[.]biz
Source credit : cybersecuritynews.com