The two main advantages of detecting stockpiled domains are expanding coverage of malicious domains and providing patient-zero detections as attackers stock up on domains for future use.
As of July 2023, our detection pipeline has found 1,114,499 unique stockpiled root domain names and identifies tens of thousands of malicious domains weekly.
As Emilia monitored various scam campaigns, she quickly caught on to the tactic of strategically aging domains and set her team to watch for when dormant domains get activated.
Recognizing that automation can leave us crumbs of information in different datasets, we extracted features from certificate transparency logs, pDNS data and domain name strings that our detector can use to find malicious domain names.
From the domain name itself, we calculate features like the randomness of the name, the number of words, encoding of the top-level domain, and whether there is a brand name in the domain name.
These features help us capture whether a malicious campaign is targeting a specific set of brands, or if the same algorithm generated the domain names.
From pDNS we calculate features like the known malicious and benign proportions of domains and the average domain age or the number of certificates for an IP. PDNS reputation helps us understand more about the shared infrastructure of stockpiled domain names.
Aggregating across multiple data sources is essential to understanding the deeper connection between certificate setup and the infrastructure of stockpiled domain names.
After generating features from domain names, certificate logs and pDNS, we train a Random Forest machine learning classifier to predict stockpiled domain names.
We leverage our extensive knowledge of millions of malicious and benign domain names as labeled data for training and fine-tuning the classifier for high precision.
Our classifier can achieve 99% precision with 48% recall, even though many of the malicious domains might not be stockpiled or cybercriminals might not leave traces of information in certificate logs and passive DNS data.
Our detection pipeline has found 1,114,499 unique stockpiled root domain names since July 2023, identifying tens of thousands of malicious domains weekly.
Other content and behavior analysis-based detectors later identified 45,862 malware, 8,989 phishing and 844 C2 domains among the stockpiled domains.
Our model caught stockpiled domains on average 34.4 days earlier than vendors on VirusTotal.
In a recent example, perpetrators randomly generated domains using low-quality TLDs. Also, all the domains had the same validity length for their certificates.
Our stockpiled domain detector caught all these domains before VirusTotal first detected them.
These domains were registered in the time span between June 17, 2023, and Aug. 28, 2023, and the domain certificates were obtained on the same day of registration.
The aggregation of domains into a few certificates and the correlation to domain creation time suggests that threat actors created these domains with some level of automation.
This automation allowed us to connect the dots and detect all of these malicious stockpiled domains.
Bulk domain registration and infrastructure automation can leave crumbs of information that allow us to detect stockpiled domains.
This Cyber News was published on unit42.paloaltonetworks.com. Publication date: Fri, 15 Dec 2023 23:13:05 +0000