|
Sinkholing has long been employed as an effective cybersecurity solution to curb the spread of dangerous malware. Remember the infamous WannaCry ransomware outbreak in 2019? Security teams put a stop to the threat through sinkholing.
More recently, Microsoft sinkholed the web properties associated with Strontium, a Russian threat actor group that has been targeting Ukrainian sites via various cyber attacks.
While the tactic undoubtedly works, some trends related to ongoing threats may remain unknown. We hope to change that with this analysis conducted by WhoisXML API threat researcher Dancho Danchev, which gives cybersecurity teams more insights into sinkholed domains. The know-how can clue them into more web properties that may need to be taken offline as well.
Our in-depth analysis revealed:
As part of our ongoing effort to enable cybersecurity analysts and researchers to further their studies, we collated the pertinent data and made it available to anyone interested. You may download Danchev’s report and related threat research materials here.
We began our investigation by obtaining 24 email addresses that are known to have been used to sinkhole domains connected to ongoing malware and botnet operations.
Using these email addresses as reverse WHOIS search terms led to the discovery of 13,265 domains. Examples include:
The domain distribution per email address (which we partially redacted for privacy reasons) is shown below.
Several nonprofit organizations, big cybersecurity companies, and government agencies like the Shadowserver Foundation, the Federal Bureau of Investigation (FBI), Secureworks, Kaspersky, Check Point Software, and the Spamhaus Project appear to employ sinkholing based on the email addresses used.
A huge majority of the domains in our sample were sinkholed by what we could expect to be independent cybersecurity professionals.
Looking more closely at the sinkholed domains, we discovered that a huge majority were DGA-created as they contained randomly chosen alphanumeric characters. The following chart shows their volume distribution.
Four types of domains were detected—DGA-created, composed of generic terms, brand-related domains, and those containing persons’ names. The table below shows examples of each type.
DGA-Created Domains | Domains Comprising Generic Term Combinations |
---|---|
lztorsixnikxicahclbrasqu[.]org azslrhksyldb[.]org bqkrtxgkmriwsiwcngtivpx[.]info fkbpvfnbhfwedagussg[.]com yjwcms[.]com 1ceh5qxzn05qmwgt0d9uch994[.]com 38213ebe88d4[.]com 2uye6myuyiua[.]com 34dar0py74ha[.]com 89erk1ijs9a7[.]com | quicklygood[.]gdn eitherplunge[.]gdn plungeannounce[.]gdn monthsaturday[.]net deviceinstead[.]net beginthrown[.]net key-curve-project[.]com foot-cancel-profile[.]com companyfinish[.]net thelaboratorysp[.]com |
Domains Containing Individuals’ Names | Brand-Related Domains |
rosalynnecharnette[.]net jacquettawinthrop[.]net chantellenathaniel[.]net hendersonmontgomery[.]net thomasinasummerfield[.]net grenvillehuddleston[.]net rosalynnesackville[.]net priscillawilfreda[.]net zachariahsamuelson[.]net magdalenagrenville[.]net | applequestion[.]netthearpamotorola[.]com icloud-diagnostics[.]com googleapiserver[.]net sendtwitter[.]com nokia-upgrade[.]com gonfu-android[.]com amaz0n-cloud[.]com dellswdlb[.]com winupdate[.]us |
Given the mention of several brands, their device or service users may need to be wary of clicking suspicious links usually embedded in emails from unknown senders.
While it’s difficult to block all suspicious domains from servers, monitoring domains that fall under the four categories above can ease the process, especially if they sport the TLDs the threat actors used, such as .com, .net, and .xyz. All in all, the sinkholed domains were distributed across 27 TLDs.
Finally, we looked at 5% of the total number of sinkholed domains and found that they were live for an average of 2,078 days or five years and eight months. The youngest domains were 495 days or one year and five months old. Examples include:
The oldest domain—2gambling[.]us—was 4,042 days or 11 years and one month old.
Given the results of our in-depth study, companies need to be wary of suspicious domains that fall under the four categories mentioned above, especially if they sport the TLDs the actors behind the ongoing campaigns seem to have a fondness for. Looking out for relatively old domains, given the average age of the sinkholed sites, may also ease the monitoring and blocking process.
If you wish to perform a similar investigation, please don’t hesitate to contact us. We’re always on the lookout for potential research collaborations.
Sponsored byVerisign
Sponsored byVerisign
Sponsored byCSC
Sponsored byRadix
Sponsored byWhoisXML API
Sponsored byDNIB.com
Sponsored byIPv4.Global