|
In 2018, nine Mabna hackers were indicted by a U.S. grand jury for their involvement in different instances of cybercrime. Their victims included about 320 universities and over 50 private, government, and nongovernmental organizations in several countries.
WhoisXML API investigated the group’s massive cybercriminal activities through the DNS lens, allowing us to map out the hacking group’s digital footprint using his initial findings. Among our key findings include:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
The investigation began with eight email addresses known to be used by the threat actors in their campaigns. Using Reverse WHOIS API, we found that seven were used to register dozens of domains, while one was the registrant email address of 9,976 domains at one point. We didn’t include these domains in our analysis since a domain name investor could own the email address.
The remaining domains were tied to 68 IP addresses that do not appear to be shared or public IP addresses since most of them only had less than 50 resolving domains. We uncovered 1,426 domains resolving to these IP addresses with the help of Reverse IP/DNS API.
We performed a DNS analysis on the IP- and email-connected domains to determine their common locations, registrars, and ISPs. The findings are detailed below.
Most of the domains suspected to be involved in the Mabna hackers’ criminal activities were geolocated and registered in the U.S. Several resolving domains were also geolocated in Iran. The chart below shows the locations of the Mabna-connected properties based on their registrant countries and IP geolocations.
We also looked at the most common registrars and ISPs used by the domains, as they have the authority to take down malicious properties. GoDaddy topped the list of registrars, accounting for 17% of the domains. CSL Company followed with a 12% share. The rest of the top 10 registrars only accounted for 3% or less of the domain registrations each.
As for the ISPs of the resolving domains, Amazon took the lead, accounting for 19% of the resolutions. Sewan and OVH followed with 14% and 10% shares, respectively. The rest of the top 10 ISPs are shown below.
Nearly half of the domains were expectedly under the .com space since it is the largest TLD. Aside from .com, .ir and .tk topped the list, with 26% and 10% shares, respectively. Note that Spamhaus tagged .tk as among the most abused TLDs as of 1 September 2022, with 24.4% of its domains considered malicious.
At first glance, the domains appeared to have been primarily created using random character sets. Examples include 6ry3m[.]tk, 6sihr[.]tk, 7460u[.]tk, and 7nf6g[.]tk. Some domains contained purely numbers, such as 88750008[.]com, 88750010[.]com, 88878001[.]com, and 88878002[.]com.
However, there were also technical-themed strings that repeatedly appeared, such as “ns2,” “ns1,” “mail,” “webdisk,” “cpanel,” “cpcalendars,” and “smtp.”
Among the domains that stood out for their content was imqlr[.]tk, since it hosted or redirected to a page that contained a list of Android hacking tools. It resolved to the IP address 195[.]20[.]44[.]121, which it shared with 30 other domains.
Cybercriminals like the Mabna hackers may be elusive, but they also leave digital footprints that we can analyze and trace to help the cybersecurity community avoid the threat actors’ resources and campaigns.
If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.
Sponsored byWhoisXML API
Sponsored byVerisign
Sponsored byRadix
Sponsored byCSC
Sponsored byVerisign
Sponsored byIPv4.Global
Sponsored byDNIB.com