Thanks to Dancho Danchev, WhoisXML API’s DNS Threat Researcher, for the initial investigation available here, which led to the creation of this post.

Threats can come from anywhere, even from legitimate hosting infrastructure. In fact, many cybercriminals often host their command-and-control (C&C) servers in known hosting providers’ networks, sometimes those that offer bulletproof hosting services, to evade detection and consequent blocking.

We found that one service provider that has been recently abused by cyber attackers is Hostinger. Two WhoisXML API studies specified 93 IP addresses, 119 subdomains of the domain 000webhostapp[.]com, and four name servers, all part of Hostinger’s infrastructure, that have played a part in botnet operations.

We used a variety of domain and IP intelligence tools to obtain as much information as possible on these to help cybersecurity teams better protect their networks.

IP Address Resolutions

We subjected the 93 IP addresses to reverse IP/DNS lookups to determine how many and what domains they resolved to over time according to passive Domain Name System (DNS) data.

The 93 IP addresses resolved to at least 300 domains each, amounting to a total of at least 27,900 domains. Note that the results of the reverse IP/DNS lookups we did listed only up to 300 domains per IP address queried even if there could be more resolutions.

After removing duplicate domains, we ended up with a list of 8,416. Of these, 48% (totaling 4,015 domains) use the .com top-level domain. In second and third place are .xyz (6% or 520) and .online (5% or 393) domains, respectively. The top 20 TLDs are shown in Chart 1 below.

Based on the data shown in Chart 1, it may be best for organizations that don’t want to employ IP-level blocking of the Hostinger IP addresses related to the campaign, to instead be especially wary of connected domains sporting the top 20 TLDs mentioned above. Companies that use Hostinger or have partners and customers that do may be among those who wouldn’t want to block the IP addresses. Some of these could have been hijacked by the attackers and their owners may not know of their connection to the threat.

More Passive DNS Findings

A DNS lookup for the domain 000webhostapp[.]com showed that it resolves, at the time of writing, to the IP address 153[.]92[.]0[.]100. Note that this IP address might be new and isn’t part of the 119 mentioned in the study. It may be a good idea to monitor communications with it as well. A reverse IP/DNS lookup for it yielded at least another 300 domains that may need to be looked at further at the very least and blocked in case they turn out to be malicious.

Reverse name server (NS) lookups for the four NSs identified earlier revealed that all the servers were connected to 28 DNS records. And these pointed to two more domains that users may need to avoid as well. These are thefreshstuffs[.]at and thefreshstuffs[.]mu, which according to VirusTotal, are both malicious.

Together, thefreshstuffs[.]at and thefreshstuffs[.]mu are connected to 12 IP addresses that aren’t part of the aforementioned study’s list. These are:

• 65[.]75[.]96[.]208
• 46[.]10[.]64[.]191
• 188[.]27[.]197[.]140
• 130[.]204[.]46[.]41
• 5[.]56[.]73[.]146
• 62[.]201[.]235[.]58
• 37[.]75[.]32[.]140
• 190[.]218[.]35[.]227
• 37[.]34[.]176[.]37
• 65[.]75[.]118[.]204
• 95[.]104[.]121[.]111
• 151[.]251[.]16[.]197

Reverse IP/DNS lookups for these 12 IP addresses yielded a list of 441 domains, some of which are malicious and suspicious. Examples of the malicious domains include fonderfonds[.]at, 7zip[.]mobi, and 7zipd[.]com. The domains omerta[.]cc, bulbank[.]email, and givemegotobye[.]ru, meanwhile, are suspicious.

Additional Subdomains

In parallel to the earlier findings, a domains and subdomains discovery search for other subdomains that contain the string “000webhostapp[.]com” and are a part of other root domains yielded an additional 140 subdomains. Examples of these include:

• 000webhostapp[.]com[.]dobrodey[.]world
• 000webhostapp[.]com[.]siteindexed[.]com
• 000webhostapp[.]com[.]pandastats[.]net
• 000webhostapp[.]com[.]cutestat[.]com
• 000webhostapp[.]com[.]statout[.]com
• 000webhostapp[.]com[.]ipdomain[.]bid
• 000webhostapp[.]com[.]incom[.]pk
• 000webhostapp[.]com[.]dedicatedornot[.]com
• 000webhostapp[.]com[.]ip-adress[.]com
• 000webhostapp[.]com[.]websiteoutlook[.]com

While they may not be directly connected to the investigation at hand, these subdomains potentially present another cybersecurity or brand protection issue and probably require research to ensure that no abuse is taking place.

Even IP addresses and domains that are part of legitimate infrastructures such as that of Hostinger can still be suspect. The hosting service provider may not be aware that its network is playing host to botnet C&C servers. Companies that communicate with the users of the IP addresses and domains cited in this article along with those that share the identified hosts (IP addresses and NSs) may wish to take remediation steps for utmost security.

If you wish to read the reports cited in this post or want to get complete copies of the artifacts we obtained, don’t hesitate to contact us. We’re always happy to collaborate with fellow researchers.