Home / Industry

To our readers: Does your company offer DNS or DNS Security services? CircleID has an opening for an exclusive sponsor for our DNS topic. Gain unparalleled results with our deep market integration. Get in touch: [email protected]

DIY Web Attacks Might Still Live on via WebAttacker

Age is rarely an issue when it comes to malware campaigns, and that’s certainly true for WebAttacker. WebAttacker is a do-it-yourself (DIY) malware creation kit that became popular back in 2006. It was the first exploit kit made available to cybercriminals in the Russian underground market for as little as US$20.

While you may think it’s no longer active, our research could suggest otherwise. An in-depth look at three email addresses belonging to the WebAttacker operators revealed these findings.

  • Close to 350 domains were registered using email addresses identified as indicators of compromise (IoCs).
  • The domains registered with the email addresses were created between 2011 and 2022.
  • The domains resolved to more than 130 IP addresses.
  • The IP addresses were spread out across more than a dozen countries.

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Old but Potentially Not Dead

We began the investigation by using the email addresses belonging to the WebAttacker operators as reverse WHOIS search strings. That led to the discovery of 346 domains registered between 2011 and 2022, at least five years after the exploit kit was made available in cybercriminal underground markets. The domain registration peaked in 2021.

Several of the domains look as if they were randomly generated, such as:

  • ggssg[.]com
  • sssffvv[.]com
  • mmzzaa[.]com
  • ccpppd[.]com
  • ppoomm[.]com
  • ppqqd[.]com
  • ffggll[.]com
  • ppssbb[.]com
  • ddssdd[.]com
  • hhddn[.]com

A few of them also led to what look to be business sites, specifically rental web pages, based on screenshot lookups.

A bulk Threat Intelligence Platform (TIP) malware check, however, showed that only one domain—ddgcc[.]com—was tagged “malicious” by various malware engines. This web property is currently up for sale, so users looking for a domain for their businesses may want to be wary.

DNS lookups for the domains showed that they resolved to 135 IP addresses spread out over a dozen countries. A majority of them were geolocated in the U.S., followed by China, Canada, Germany, Japan, and South Africa.

Interestingly, while only one domain was dubbed “malicious,” 12 of the IP addresses were tagged as malware hosts by various malware engines, namely:

  • 170[.]33[.]9[.]230
  • 3[.]130[.]253[.]23
  • 18[.]119[.]154[.]66
  • 3[.]64[.]163[.]50
  • 91[.]195[.]240[.]12
  • 99[.]81[.]40[.]78
  • 207[.]148[.]248[.]143
  • 104[.]21[.]30[.]192
  • 172[.]67[.]173[.]140
  • 162[.]210[.]196[.]166
  • 23[.]227[.]38[.]32
  • 217[.]160[.]0[.]71

In Cybercrime, Age Isn’t an Issue

WebAttacker or some variations of it may still live on despite its age. The recently registered domains and the fact that the email addresses identified as IoCs remain in use to this day suggest that. Organizations may want to block access going to and coming from the malicious domain and IP addresses we identified.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (whoisxmlapi) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Commenting is not available in this channel entry.

Related

Topics

IPv4 Markets

Sponsored byIPv4.Global

Domain Names

Sponsored byVerisign

Cybersecurity

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

Brand Protection

Sponsored byCSC