Malicious stockpiled domains are the collection of domain names that threat actors acquire in advance for several types of future malicious activities like:-.
While all these domains are often kept unused initially to evade detection, and then later they are activated by the threat actors when needed to:-.
Recently, the cybersecurity researchers at Palo Alto Networks' Unit 42 hunted malicious stockpiled domains while analyzing the DNS records.
Attacker automation leaves several types of traces in diverse data sources, which are detectable by security defenders in locations like:-.
Researchers used info bits to create a stockpiled domain detector with benefits like wider malicious domain coverage and early detection.
A vast knowledge base on malicious and benign domains helped in the following key things:-.
To detect the stockpiled domain names, researchers collect the following six categories of features:-.
More than 9,000 malicious domains were detected by Unit 42's detector in a redirection campaign.
This detection rate shows the advanced capabilities of the detector that outperformed VirusTotal's 31.7% detection rate.
Unit 42 detected them 32.3 days earlier on average.
Despite Cloudflare use complicating pDNS ID, researchers traced random domain generation with shared characteristics.
Victims in the campaign faced redirection to adware or scam pages featuring:-.
According to a report by Palo Alto, a phishing campaign was discovered that targeted users in Italy and Germany.
The detector found related domains in this campaign.
There was another campaign that impersonated USPS. In this case, over 30 domains were used on the same day between June 17 and August 28, 2023.
The report notes that these domains were registered and certified under four certificates.
The aggregation of domains and synchronized creation suggest automated threat actor involvement.
One campaign with more than 17 domains was focused on high-yield investment scams, using commonalities like-.
Threat actors actively automate their setups in domain wars the bulk registration leaves several detectable traces.
The success relies on defenders merging datasets to unveil malicious campaigns.
This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 04 Jan 2024 10:31:28 +0000