The expansion of the domain observation IoC has led to thousands of possible connections

Palo Alto Networks threat analysts discovered over 12,000 domain sighting cases after scanning the web from April to June 2022. For this threat, all cybercriminals need to do is create malicious subdomains under domains legitimate, allowing them to host command-and-control (C&C) servers, phishing pages, and other malicious content while relying on the legitimacy of root domains.

Often victims cannot detect domain shadowing until it is too late. WhoisXML API researchers relied on Indicators of Compromise (IoCs) published by Palo Alto Networks to obtain possible cases of domain shadowing and expand the list of potentially malicious domains. Our study revealed:

  • Over 2,900 subdomains starting with trust-evoking strings such as “login”, “training” and “carrier” added between September 1 and October 24, 2022
  • Over 1,600 web properties resolved to IP addresses to which IoCs were resolved
  • About 4% of IoC-related artifacts from the domain observation campaign were malicious
  • Multiple domains hosting or redirecting to similar Microsoft login pages that IoCs redirected to

A sample of additional artifacts obtained from our analysis is available for download from our website.

IoC extension

What other domains do malicious IP hosts share?

About 14 web properties marked as IoC in the domain observation campaign were published in the report referenced above. These resources were resolved to seven unique IP addresses, also named in the report.

A reverse IP/DNS lookup on IP addresses revealed 1,675 connected cyber resources, more than a dozen of which were flagged as malicious by various malware engines.

What other domains resemble IoCs?

By studying IoCs, we determined that in addition to using combinations of random text strings for subdomains, threat actors were also using terms that evoked the trust of the average internet user. Examples include “connection” and “training”. We have named some of the most common subdomains found in legitimate domains that threat actors can take advantage of.

We used these strings as Discovery of domains and subdomains search terms, as well as “dhl-express” and “carrier”, which were also seen in our subdomain searches for compromised domains. A total of 2,904 unique subdomains added from September 1 to October 24, 2022 were found. The graph below shows the volume of domains found by search term.

Nearly 4% of these connected properties were found to be malicious.

Artifact analysis

Approximately 81% of domain observation related artifacts had active IP resolutions. Several subdomains hosted questionable content, according to the screenshot search results. Some were login pages, similar to content hosted or redirected by IoCs.

The screenshot below shows the page that users who clicked on the IoCs were redirected to. The purpose of the page could be to steal Microsoft user credentials.

Screenshot from elitepackaging blog[.]com taken from Palo Alto Networks

On the other hand, below is a screenshot of one of the connected subdomains we discovered. Like the malicious page above, it also appears to resolve to a Microsoft-like login page.

Login screenshot[.]developer[.]order[.]application

Other examples found hosting similar content are shown below.

Malicious subdomains detected

We performed a bulk malware check on connected properties and found 172 that may have previously been in malicious campaigns, regardless of type: domain sighting or other type of cyberattack.

Alarmingly, several still host or redirect to suspicious pages, such as the ones shown below.

Domain cloaking is reminiscent of the modus operandi of the Gallium APT group that we have investigated in the past, where we discovered several malicious subdomains under legitimate root domains. In fact, for this study, some of the malicious properties we found were DuckDNS subdomains.

We found a common theme for both threats: malicious actors hiding behind legitimate domains. Compromised pages, however, can be difficult for domain owners to detect until it’s too late.

If you wish to carry out a similar survey or have access to the complete data of this research, do not hesitate to Contact us.