Two cyber threats recently caught the attention of WhoisXML API researchers, primarily since parts of their infection chain hide behind legitimate services. This tactic is tricky for security teams because blocking the domains involved means blocking legitimate applications, too.

First is the GALLIUM APT Group, which was found using a new remote access Trojan (RAT). Indicators of compromise (IoCs) included 13 domains and 130 IP addresses. Three domains were hosted on a free dynamic DNS service with the domain publicvm[.]com. Another threat uses fake Facebook login pages, enabling actors to steal 1 million credentials in just four months. The first link victims clicked were subdomains of legitimate app deployment services, such as glitch[.]me, famous[.]co, and amaze[.]co.

This research focused on subdomains belonging to the legitimate root domains involved in the two threats mentioned above. Among our findings include:

• 14,000+ subdomains belonging to the four root domains added for all time, 63% of which are glitch[.]me subdomains added since 1 June 2022
• 3% of the total sample has been flagged as malicious by various malware engines
• Common text strings used in the malicious subdomains include those that invoke authority, such as “cpanel,” “cpcontacts,” “webdisk,” and “cpcalendars”
• Some subdomains hosted suspicious content, such as login and look-alike pages

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Data Sample Distribution and Analysis

We uncovered 14,517 subdomains belonging to only four root domains—publicvm[.]com, glitch[.]me, famous[.]co, and amaze[.]co. A majority of the properties were under publicvm[.]com and glitch[.]me, 63% of which were new, having been added only since 1 June 2022.

Included in the data sample are 174 glitch[.]me subdomains that contain Facebook-related domains, such as “facebook,” “meta,” “instagram,” and “whatsapp.” Apart from these strings, some of the most common ones used in the subdomains were “cpanel,” “cpcontacts,” “webdisk,” “cpcalendars,” “login,” “webmail,” and “mail.” These are reflected in the word cloud below.

How Malicious Are the Subdomains?

We ran a bulk malware check on the data sample and found that 3.36% of the subdomains have been reported as malicious. Lexical analysis of these dangerous cyber resources yielded interesting results since most of the commonly used text strings also appeared in the nonmalicious subdomains.

The word cloud below shows similar strings found among the data sample, including “cpanel,” “cpcontacts,” “webdisk,” “cpcalendars,” “amazon,” and “login.”

The findings brought to light the possibility of several unreported malicious subdomains.

What Types of Content Do the Properties Host?

Our screenshot analysis suggests that threat actors may be waiting for the right time to weaponize some of the properties. Or those may no longer be active, and possibly were already taken down by the subdomain addition service provider. For instance, the website screenshots of several Facebook-related glitch[.]me subdomains show they were linked to inactive projects. Some examples are shown below.

Other subdomains hosted Nextcloud, Roundcube, and other platforms’ login pages. Some of these could be fronts for credential theft. An example is metal-absorbing-fly[.]glitch[.]me, which hosts a login page similar to that of Microsoft Outlook.

Screenshot of metal-absorbing-fly[.]glitch[.]me

On the other hand, other subdomains could be legitimate pages created by nonmalicious individuals and organizations. Even so, if these are services meant for internal network use, they could be vulnerable to brute force attacks. A few examples are shown below.

There are many ways threat actors can lure victims into giving up their sensitive user information, but this almost always involves clicking a malicious link. That link could lead to cybersquatting domains, domain generation algorithm (DGA-) generated domains, or long-form URLs residing on legitimate root domains.

Comprehensive access to domain intelligence can help detect suspicious properties early and prevent threats, such as those posed by GALLIUM and the actors behind the massive Facebook user credential theft.

If you wish to perform a similar investigation or research, please don’t hesitate to contact us. We’re always on the lookout for potential research collaborations.