Home / Industry

Malicious Valentine: Uncovering Thousands of Connections to Romance-Themed Campaign IoCs

Romance-themed malicious campaigns are launched throughout the year, but days leading up to Valentine’s Day could be particularly timely for such activities. WhoisXML API researchers analyzed more than 70 indicators of compromise (IoCs) related to multiple romance-themed campaigns, including a Japanese online dating scam, the BazaLoader campaign, and the romance-crypto malicious combo dubbed “CryptoRom.” We uncovered several connections and artifacts, and our analysis includes the following:

  • Unredacted registrant email addresses of the malicious domains gleaned from WHOIS history records
  • Thousands of domains sharing the unredacted registrant email addresses
  • Possible use of domain generation algorithms (DGAs) in several of the IoCs
  • Hundreds of DGA-using domains recently registered in bulk in the last week of January 2022

You may download the complete list of IoCs, artifacts, and other data points from our website.

Historical WHOIS Yields Thousands of Domain Connections

While some of the domains tagged as IoCs have been left to expire and several active ones had redacted WHOIS records, WHOIS history still left breadcrumbs that allowed us to trace domain connections. In particular, we discovered nine unredacted registrant email addresses, several of which were Yahoo! email addresses.

Current and historic reverse WHOIS searches for these email addresses yielded 10,156 additional domain names. At one point, these domains shared the same registrant with the IoCs, making them suspicious at the very least.

Machine-Generated Domains

Besides the registrant email addresses, the connected domains had other characteristics in common with the IoCs. One, a majority of the IoCs show patterns consistent with that of DGAs. The same was true for the artifacts we discovered. A few examples are shown below.

Japan Online Dating Scam IoCsConnected DomainsCryptoRom IoCsConnected Domains
bgmdvusqbsx[.]jp
bwsyxpadka[.]jp[.]com
crsiystr399[.]jp
cwiabwtrrt[.]jp
kgwhha-erwgh[.]com
iuehbja-rwj74a[.]com
khsg-aapop4aq[.]com
hgwehgah-77[.]com
xxcdmfva-9axxc[.]com
ttishw-wagha7a8[.]com
qqkkd[.]com
slhb518[.]com
bxjys[.]xyz
fxtmjy[.]com
gpwtrad[.]com
hqhcw[.]net
hjqhw[.]net
242302[.]com
375364[.]com
721504[.]com

The WHOIS records of these domains showed that some were registered on the same day. They may have been registered in bulk, along with other similar-looking domains, and used by threat actors gradually—a behavior that is consistent with what we found in a research study focusing on more than 13,000 domains bulk-registered on the same day. We discussed our findings in detail in this webinar. But what stood out was that bulk registration can serve as an early-warning mechanism for identifying suspicious domains.

We can find more suspicious web properties using DGA usage and bulk registration as criteria. For instance, on 24—30 January 2022, the Typosquatting Data Feed picked up several groups of DGA-using domains. The largest group consists of 305 domains registered on 30 January 2022 and uses the .xyz top-level domain (TLD).

While these domains may not be direct artifacts of the romance-themed campaigns in this study, they are helpful when conducting IoC list expansion. We included these domains in the downloadable threat research materials, along with two other groups of bulk-registered DGA-using domains.

Adult Content

Subjecting a sample of the connected domains to a screenshot analysis revealed the type of content they host. While some were parked, several hosted adult-related content.

Malicious Domain Alert

We also ran a malware check on a sample comprising 56% of the total number of connected domains and found that 16 were malicious, including:

  • iueyughba-55ea[.]com
  • 031632[.]com
  • ddxxp[.]com
  • 092286[.]com
  • qqhhm[.]com

Some Internet users might be lured into visiting online dating sites and other websites promising gifts, companionship, and other Valentine’s Day treats in the days leading up to the occasion. This type of campaign may use domains that utilize DGAs, among others, based on past behaviors. We just uncovered more than 10,000 domains that could be related to past IoCs.

Looking out for more related domains through WHOIS record heuristics can help warn people against domains that could figure in malicious campaigns.

If you are a threat researcher or cybersecurity professional interested in the IoCs and artifacts presented in this study, please contact us to learn more about our cyber threat intelligence sources and possible research collaboration.

NORDVPN DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

New TLDs

Sponsored byRadix

Threat Intelligence

Sponsored byWhoisXML API

IPv4 Markets

Sponsored byIPv4.Global

DNS

Sponsored byDNIB.com

Cybersecurity

Sponsored byVerisign

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign