|
In the realm of cybersecurity, seizing domains, unfortunately, doesn’t always mean the end for the threats they pose. Such could be the case for the 18 domains U.S. law enforcement agents recently took offline for their ties to a money mule recruitment operation reported by Bleeping Computer.
We dove deeper into the threat vectors aided by WHOIS, IP, and DNS intelligence and discovered potentially connected artifacts that could still pose risks to Internet users. Our investigation led to the discovery of:
A sample of the additional artifacts obtained from our analysis is available for download from our website.
We began our deep dive by subjecting the IoCs to historical WHOIS searches that showed the following:
DNS lookups for the domains tagged as IoCs revealed that they all pointed to the same shared IP address 66[.]212[.]148[.]117. Geographically located in the U.S. and while considered nonmalicious to date, the host did point to 63 potentially connected domains.
A bulk WHOIS lookup for the 60+ domains showed that more than half (38 to be exact) were likely owned by legitimate businesses. The remaining web properties’ registrant details, specifically email addresses, were left blank.
A closer look at the IoCs also let us identify 11 unique strings or string combinations that appeared among them, namely:
Using these as Domains & Subdomains Discovery search terms led to the discovery of another 418 possibly connected artifacts. While they were all deemed safe to access at the time of this writing, a bulk WHOIS lookup revealed that 12 were privacy protected, 10 used generic email addresses (e.g., info@company[.]TLD and sales@company[.]TLD), 11 used personal email addresses (i.e., mostly Gmail addresses), and the remaining 96 were left blank. Here’s a graphical representation of the web properties’ breakdown.
Subjecting nine unredacted personal registrant email addresses to historical reverse WHOIS searches allowed us to uncover 104 more domains. Of these, two—cmms[.]ir and mechanichome[.]com—turned out to be malicious according to various malware engines.
Screenshot lookups for these two dangerous web properties showed one hosted a computerized maintenance management system provider’s website while the other appeared to be a mechanic’s site. They could have been made to look like they belong to legitimate service providers but serve as malware hosts instead or may have been compromised.
Since these two websites were live at the time of this writing, we decided to get some deeper context using website contacts lookup to gather their meta titles and descriptions, all of which were written in Persian. For mechanichome[.]com, we were also able to get company names, an email address, and a phone number.
Our IoC expansion exercise allowed us to uncover one IP address, 585 domains, and nine unredacted registrant email addresses that could have ties to the threat actors behind the seized domains. And with the help of exhaustive WHOIS, IP, and DNS data, we found two new malicious domains that could be considered IoCs.
If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.
Sponsored byVerisign
Sponsored byCSC
Sponsored byIPv4.Global
Sponsored byWhoisXML API
Sponsored byDNIB.com
Sponsored byVerisign
Sponsored byRadix