Researchers Hunted Malicious Stockpiled Domains Analyzing DNS Records

by Esmeralda McKenzie
Researchers Hunted Malicious Stockpiled Domains Analyzing DNS Records

Researchers Hunted Malicious Stockpiled Domains Analyzing DNS Records

Researchers Hunted Malicious Stockpiled Domains Analyzing DNS Data

Malicious stockpiled domains are the sequence of domains that threat actors produce upfront for a lot of forms of future malicious activities like:-

  • Phishing assaults
  • Malware distribution
  • Scams
  • Unwanted Program distribution
  • Malicious Search Engine Optimization (search engine optimization)
  • Illicit protest material distribution

While all these domains have a tendency to be kept unused within the muse to evade detection, and then later they’re activated by the threat actors when desired to:-

EHA

  • Exploit vulnerabilities
  • Deceive customers

Lately, the cybersecurity researchers at Palo Alto Networks’ Unit 42 hunted malicious stockpiled domains whereas inspecting the DNS info.

Malicious Stockpiled Domains

Attacker automation leaves a lot of forms of traces in various info sources, which may perhaps perhaps well be detectable by security defenders in areas like:-

  • Certificate transparency logs
  • Passive DNS (pDNS)

Researchers venerable info bits to invent a stockpiled domain detector with benefits like wider malicious domain coverage and early detection.

Apart from this, they employed extra than 300 aspects to course of terabytes of information, in conjunction with:-

  • Billions of pDNS
  • Billions of certificates info

An unlimited info inappropriate on malicious and benign domains helped within the next key issues:-

  • Status calculation
  • Practising a Random Woodland ML algorithm

To detect the stockpiled domains, researchers procure the next six categories of aspects:-

  • Certificate Capabilities
  • Domain Title Lexical Capabilities
  • Certificate Domain Aggregation Capabilities
  • Certificate Status and Aggregation Capabilities
  • pDNS and Certificate Aggregation Capabilities
  • pDNS Status and Aggregation Capabilities
Characteristic extraction pipeline
Characteristic extraction pipeline (Source – Palo Alto Networks)

Greater than 9,000 malicious domains were detected by Unit 42’s detector in a redirection marketing campaign.

This detection fee reveals the superior capabilities of the detector that outperformed VirusTotal’s 31.7% detection fee. Unit 42 detected them 32.3 days earlier on life like.

No topic Cloudflare exhaust complicating pDNS ID, researchers traced random domain generation with shared characteristics.

Victims within the selling campaign faced redirection to adware or scam pages featuring:-

  • Unsuitable notifications
  • Clickbait classified ads
Unsuitable warning message
Unsuitable warning message (Source – Palo Alto Networks)

Per a epic by Palo Alto, a phishing marketing campaign used to be found that targeted customers in Italy and Germany. The detector found associated domains on this marketing campaign. Furthermore, there used to be one other marketing campaign that impersonated USPS. On this case, over 30 domains were venerable on the identical day between June 17 and August 28, 2023. The epic notes that these domains were registered and licensed below four certificates.

The aggregation of domains and synchronized creation point out automatic threat actor involvement. One marketing campaign with extra than 17 domains used to be desirous about high-yield investment scams, the exhaust of commonalities like-

  • Certificate length
  • IP address

Alternatively, all of the victims were lured with guarantees of uncomplicated cash, redirecting via pages and checkboxes to substantiate phishing.

Ultimate landing page
Ultimate landing page (Source – Palo Alto Networks)

Threat actors actively automate their setups in domain wars, but, the bulk registration leaves a lot of detectable traces. Alternatively, the success relies on defenders merging datasets to unveil malicious campaigns.

IOCs

Home dog Scam Example Domain

  • Baronessabernesemountaindogpuppies[.]com

Malicious Redirection Campaign Domains

  • Whdytdof[.]tk
  • Pbyiyyht[.]gq
  • Rthgjwci[.]cf
  • Cgptvfjz[.]ml
  • Thewinjackpot[.]life

Postal Phishing Campaign Domains

  • Abschlussschritte-info[.]com
  • Aksunnatechnologies[.]com
  • 222camo[.]com
  • Rothost[.]simplest

A Sample of USPS Phishing Campaign Domains

  • Provide-usps[.]vip
  • Provide-usps[.]wiki
  • Provide-usps[.]ren
  • Usps-redelivery[.]artwork
  • Usps-redelivery[.]are living

USPS Phishing Campaign Certificate SHA-1 Fingerprints

  • 18:FF:07:F3:05:A7:6A:C2:7A:38:89:C5:06:FD:D7:B8:D9:06:88:AB
  • 89:29:97:5E:E9:F7:14:D9:95:16:9B:B3:74:33:0C:7B:D0:8F:98:30
  • B6:74:45:84:0C:FF:81:05:C2:28:0F:EF:91:23:D8:A0:E8:ED:3A:2E
  • 6A:21:31:8B:F4:0A:04:40:FA:37:46:15:A3:CE:1F:0A:C5:0A:93:C3

High Yield Funding Scam Campaign Domains

  • Erinemailbiz[.]com
  • Makemoneygeorge[.]com
  • Natashafitts[.]com
  • Julieyeoman[.]com
  • Checkout.mytraffic[.]biz

Source credit : cybersecuritynews.com

Related Posts