In 2018, nine Mabna hackers were indicted by a U.S. grand jury for their involvement in different instances of cybercrime. Their victims included about 320 universities and over 50 private, government, and nongovernmental organizations in several countries.

WhoisXML API investigated the group’s massive cybercriminal activities through the DNS lens, allowing us to map out the hacking group’s digital footprint using his initial findings. Among our key findings include:

• Eight personally identifiable email addresses tagged as indicators of compromise (IoCs) of the Mabna hackers’ activities
• 200+ IP addresses known to be involved in the campaign
• 1,400+ domains connected to the email and IP addresses known to be involved in the campaign, 89% of which had active IP resolutions

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Deriving the Data Sample

The investigation began with eight email addresses known to be used by the threat actors in their campaigns. Using Reverse WHOIS API, we found that seven were used to register dozens of domains, while one was the registrant email address of 9,976 domains at one point. We didn’t include these domains in our analysis since a domain name investor could own the email address.

The remaining domains were tied to 68 IP addresses that do not appear to be shared or public IP addresses since most of them only had less than 50 resolving domains. We uncovered 1,426 domains resolving to these IP addresses with the help of Reverse IP/DNS API.

We performed a DNS analysis on the IP- and email-connected domains to determine their common locations, registrars, and ISPs. The findings are detailed below.

Profile of the Mabna Domain Infrastructure

Location

Most of the domains suspected to be involved in the Mabna hackers’ criminal activities were geolocated and registered in the U.S. Several resolving domains were also geolocated in Iran. The chart below shows the locations of the Mabna-connected properties based on their registrant countries and IP geolocations.

Administrative Authority

We also looked at the most common registrars and ISPs used by the domains, as they have the authority to take down malicious properties. GoDaddy topped the list of registrars, accounting for 17% of the domains. CSL Company followed with a 12% share. The rest of the top 10 registrars only accounted for 3% or less of the domain registrations each.

As for the ISPs of the resolving domains, Amazon took the lead, accounting for 19% of the resolutions. Sewan and OVH followed with 14% and 10% shares, respectively. The rest of the top 10 ISPs are shown below.

Top-Level Domain (TLD) Usage

Nearly half of the domains were expectedly under the .com space since it is the largest TLD. Aside from .com, .ir and .tk topped the list, with 26% and 10% shares, respectively. Note that Spamhaus tagged .tk as among the most abused TLDs as of 1 September 2022, with 24.4% of its domains considered malicious.

Common Text Strings

At first glance, the domains appeared to have been primarily created using random character sets. Examples include 6ry3m[.]tk, 6sihr[.]tk, 7460u[.]tk, and 7nf6g[.]tk. Some domains contained purely numbers, such as 88750008[.]com, 88750010[.]com, 88878001[.]com, and 88878002[.]com.

However, there were also technical-themed strings that repeatedly appeared, such as “ns2,” “ns1,” “mail,” “webdisk,” “cpanel,” “cpcalendars,” and “smtp.”

Website Content

Among the domains that stood out for their content was imqlr[.]tk, since it hosted or redirected to a page that contained a list of Android hacking tools. It resolved to the IP address 195[.]20[.]44[.]121, which it shared with 30 other domains.

Cybercriminals like the Mabna hackers may be elusive, but they also leave digital footprints that we can analyze and trace to help the cybersecurity community avoid the threat actors’ resources and campaigns.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.