Researchers Hunted Malicious Stockpiled Domains Analyzing DNS Records

Malicious stockpiled domains are the collection of domain names that threat actors acquire in advance for several types of future malicious activities like:-

  • Phishing attacks
  • Malware distribution
  • Scams
  • Unwanted Program distribution
  • Malicious Search Engine Optimization (SEO)
  • Illicit content distribution

While all these domains are often kept unused initially to evade detection, and then later they are activated by the threat actors when needed to:-

EHA
  • Exploit vulnerabilities 
  • Deceive users

Recently, the cybersecurity researchers at Palo Alto Networks’ Unit 42 hunted malicious stockpiled domains while analyzing the DNS records.

Malicious Stockpiled Domains

Attacker automation leaves several types of traces in diverse data sources, which are detectable by security defenders in locations like:-

  • Certificate transparency logs
  • Passive DNS (pDNS)

Researchers used info bits to create a stockpiled domain detector with benefits like wider malicious domain coverage and early detection. 

Besides this, they employed more than 300 features to process terabytes of data, including:-

  • Billions of pDNS
  • Billions of certificate records

A vast knowledge base on malicious and benign domains helped in the following key things:-

  • Reputation calculation
  • Training a Random Forest ML algorithm

To detect the stockpiled domain names, researchers collect the following six categories of features:-

  • Certificate Features
  • Domain Name Lexical Features
  • Certificate Domain Aggregation Features
  • Certificate Reputation and Aggregation Features
  • pDNS and Certificate Aggregation Features
  • pDNS Reputation and Aggregation Features
Feature extraction pipeline
Feature extraction pipeline (Source – Palo Alto Networks)

More than 9,000 malicious domains were detected by Unit 42’s detector in a redirection campaign.

This detection rate shows the advanced capabilities of the detector that outperformed VirusTotal’s 31.7% detection rate. Unit 42 detected them 32.3 days earlier on average. 

Despite Cloudflare use complicating pDNS ID, researchers traced random domain generation with shared characteristics. 

Victims in the campaign faced redirection to adware or scam pages featuring:-

  • Fake notifications
  • Clickbait ads
Fake warning message
Fake warning message (Source – Palo Alto Networks)

According to a report by Palo Alto, a phishing campaign was discovered that targeted users in Italy and Germany. The detector found related domains in this campaign. Additionally, there was another campaign that impersonated USPS. In this case, over 30 domains were used on the same day between June 17 and August 28, 2023. The report notes that these domains were registered and certified under four certificates.

The aggregation of domains and synchronized creation suggest automated threat actor involvement. One campaign with more than 17 domains was focused on high-yield investment scams, using commonalities like-

  • Certificate length
  • IP address

However, all the victims were lured with promises of easy money, redirecting through pages and checkboxes to confirm phishing.

Final landing page
Final landing page (Source – Palo Alto Networks)

Threat actors actively automate their setups in domain wars, but, the bulk registration leaves several detectable traces. However, the success relies on defenders merging datasets to unveil malicious campaigns.

IOCs

Puppy Scam Example Domain

  • Baronessabernesemountaindogpuppies[.]com

Malicious Redirection Campaign Domains

  • Whdytdof[.]tk
  • Pbyiyyht[.]gq
  • Rthgjwci[.]cf
  • Cgptvfjz[.]ml
  • Thewinjackpot[.]life

Postal Phishing Campaign Domains

  • Abschlussschritte-info[.]com
  • Aksunnatechnologies[.]com
  • 222camo[.]com
  • Rothost[.]best

A Sample of USPS Phishing Campaign Domains

  • Delivery-usps[.]vip
  • Delivery-usps[.]wiki
  • Delivery-usps[.]ren
  • Usps-redelivery[.]art
  • Usps-redelivery[.]live

USPS Phishing Campaign Certificate SHA-1 Fingerprints

  • 18:FF:07:F3:05:A7:6A:C2:7A:38:89:C5:06:FD:D7:B8:D9:06:88:AB
  • 89:29:97:5E:E9:F7:14:D9:95:16:9B:B3:74:33:0C:7B:D0:8F:98:30
  • B6:74:45:84:0C:FF:81:05:C2:28:0F:EF:91:23:D8:A0:E8:ED:3A:2E
  • 6A:21:31:8B:F4:0A:04:40:FA:37:46:15:A3:CE:1F:0A:C5:0A:93:C3

High Yield Investment Scam Campaign Domains

  • Erinemailbiz[.]com
  • Makemoneygeorge[.]com
  • Natashafitts[.]com
  • Julieyeoman[.]com
  • Checkout.mytraffic[.]biz
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.