Age is rarely an issue when it comes to malware campaigns, and that’s certainly true for WebAttacker. WebAttacker is a do-it-yourself (DIY) malware creation kit that became popular back in 2006. It was the first exploit kit made available to cybercriminals in the Russian underground market for as little as US$20.

While you may think it’s no longer active, our research could suggest otherwise. An in-depth look at three email addresses belonging to the WebAttacker operators revealed these findings.

• Close to 350 domains were registered using email addresses identified as indicators of compromise (IoCs).
• The domains registered with the email addresses were created between 2011 and 2022.
• The domains resolved to more than 130 IP addresses.
• The IP addresses were spread out across more than a dozen countries.

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Old but Potentially Not Dead

We began the investigation by using the email addresses belonging to the WebAttacker operators as reverse WHOIS search strings. That led to the discovery of 346 domains registered between 2011 and 2022, at least five years after the exploit kit was made available in cybercriminal underground markets. The domain registration peaked in 2021.

Several of the domains look as if they were randomly generated, such as:

• ggssg[.]com
• sssffvv[.]com
• mmzzaa[.]com
• ccpppd[.]com
• ppoomm[.]com
• ppqqd[.]com
• ffggll[.]com
• ppssbb[.]com
• ddssdd[.]com
• hhddn[.]com

A few of them also led to what look to be business sites, specifically rental web pages, based on screenshot lookups.

A bulk Threat Intelligence Platform (TIP) malware check, however, showed that only one domain—ddgcc[.]com—was tagged “malicious” by various malware engines. This web property is currently up for sale, so users looking for a domain for their businesses may want to be wary.

DNS lookups for the domains showed that they resolved to 135 IP addresses spread out over a dozen countries. A majority of them were geolocated in the U.S., followed by China, Canada, Germany, Japan, and South Africa.

Interestingly, while only one domain was dubbed “malicious,” 12 of the IP addresses were tagged as malware hosts by various malware engines, namely:

• 170[.]33[.]9[.]230
• 3[.]130[.]253[.]23
• 18[.]119[.]154[.]66
• 3[.]64[.]163[.]50
• 91[.]195[.]240[.]12
• 99[.]81[.]40[.]78
• 207[.]148[.]248[.]143
• 104[.]21[.]30[.]192
• 172[.]67[.]173[.]140
• 162[.]210[.]196[.]166
• 23[.]227[.]38[.]32
• 217[.]160[.]0[.]71

In Cybercrime, Age Isn’t an Issue

WebAttacker or some variations of it may still live on despite its age. The recently registered domains and the fact that the email addresses identified as IoCs remain in use to this day suggest that. Organizations may want to block access going to and coming from the malicious domain and IP addresses we identified.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.