Palo Alto Networks threat analysts discovered more than 12,000 cases of domain shadowing after scanning the Web from April to June 2022. For this threat, all cybercriminals need to do is create malicious subdomains under legitimate domains, allowing them to host command-and-control (C&C) servers, phishing pages, and other malicious content while riding on the legitimacy of the root domains.

Often, victims cannot detect domain shadowing until it’s too late. WhoisXML API researchers built on the indicators of compromise (IoCs) Palo Alto Networks published to obtain possible cases of domain shadowing and expand the list of potentially malicious domains. Our study revealed:

• 2,900+ subdomains starting with trust-evoking strings like “login,” “training,” and “carrier” added between 1 September and 24 October 2022
• 1,600+ web properties resolving to IP addresses to which the IoCs resolved
• About 4% of the artifacts related to the domain shadowing campaign IoCs were malicious
• Several domains hosting or redirecting to similar Microsoft login pages to which the IoCs redirected

A sample of the additional artifacts obtained from our analysis is available for download from our website.

IoC Expansion

What Other Domains Share the Malicious IP Hosts?

About 14 web properties tagged as IoCs in the domain shadowing campaign were published in the report referenced above. These resources resolved to seven unique IP addresses, also named in the report.

A reverse IP/DNS lookup on the IP addresses revealed 1,675 connected cyber resources, over a dozen of which were flagged as malicious by various malware engines.

What Other Domains Look Similar to the IoCs?

By studying the IoCs, we determined that aside from using random text string combinations for the subdomains, the threat actors also used terms that evoked trust in the average Internet user. Examples include “login” and “training.” We named some of the most common subdomains found under legitimate domains that threat actors may be taking advantage of.

We used these strings as Domains & Subdomains Discovery search terms, along with “dhl-express” and “carrier,” which were also seen in our subdomain lookups for the compromised domains. A total of 2,904 unique subdomains added from 1 September to 24 October 2022 were found. The chart below shows the volume of domains found per search term.

Nearly 4% of these connected properties were found malicious.

Analysis of the Artifacts

About 81% of the artifacts related to domain shadowing had active IP resolutions. Several subdomains hosted questionable content, according to the screenshot lookup results. Some were login pages, similar to the content the IoCs hosted or redirected to.

The screenshot below shows the page to which users who clicked the IoCs were redirected. The goal of the page could be to steal Microsoft user credentials.

On the other hand, below is a screenshot of one of the connected subdomains we discovered. Like the malicious page above, it also appears to resolve to a Microsoft look-alike login page.

Other examples found hosting similar content are shown below.

Malicious Subdomains Found

We ran a bulk malware check on the connected properties and found 172 that may have already figured in malicious campaigns, regardless of type—domain shadowing or some other type of cyber attack.

Alarmingly, several still hosted or redirected to suspicious pages, such as those shown below.

Domain shadowing is reminiscent of the Gallium APT Group’s modus operandi we studied in the past, where we discovered several malicious subdomains under legitimate root domains. In fact, for this study, some of the malicious properties we found were DuckDNS subdomains.

We found a common theme for both threats—malicious actors hid behind legitimate domains. Compromised pages may, however, be difficult for domain owners to detect until it’s too late.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.