Home / Industry

Uncovering Other DarkTortilla Threat Vectors

As an age-old digital threat, phishing just continues to grow in sophistication over time, as DarkTortilla showed. Cyble Research and Intelligence Labs (CRIL) published a technical analysis of the threat specifically targeting Cisco and Grammarly. Are there other potential threat vectors, though?

WhoisXML API researchers obtained three indicators of compromise (IoCs) and performed an expansion analysis that led to the discovery of:

  • Two IP addresses the domains resolved to
  • 300+ domains that shared the IoCs’ IP hosts, two of which were found malicious
  • 11,358+ domains that contained the strings Cisco, Grammarly, or Atomm and could be used for other malicious campaigns; only 4% of these domains seemingly belonged to the legitimate companies and 23 were found malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

DNS Ties

The CRIL report identified two domains—cicsom[.]com and gnammarly[.]com—and one URL—https://atomm[.]com[.]br/[.]well-known/acme-challenge/ol/Fjawtld[.]png—as IoCs.

DNS lookups for the IoCs allowed us to uncover two IP resolutions—104[.]21[.]15[.]248 and 172[.]67[.]165[.]88. Both IP addresses were geographically located in the U.S. and managed by Cloudflare, Inc.

Reverse IP lookups for these then led to the discovery of at least 300 potentially connected domains. A bulk malware check for these web properties revealed that two were malicious, namely, bridgesconstructionservicesinc[.]com and cl7q5s[.]cyou.

WHOIS Connections

Since the phishers’ targeted legitimate companies, we looked for other possible cybersquatting domains. We used the strings Cisco, Grammarly, and Atomm as Domains & Subdomains Discovery search terms to do that, though we only focused on looking for domains akin to the IoCs.

Our search uncovered at least 11,358 domains, 23 of which turned out to be malicious. In particular, 21 of these web properties seemingly served as malware hosts, one was a confirmed spam host, and another one was a confirmed phishing page. We named 10 of the malicious domains below.

MALICIOUS DOMAINCATEGORY
cisco[.]workMalware
cisco[.]asiaMalware
cisco[.]picsMalware
ciscopro[.]ruMalware
shopcisco[.]euMalware
ciscoav[.]comPhishing
grammarly[.]picsMalware
grammarlyget[.]comMalware
appgrammarly[.]infoMalware
mygrammarly[.]coSpam

Apart from typosquatting on the companies’ brands, some of the malicious domains also seemed to redirect to the organizations’ legitimate pages. Here’s an example obtained from a screenshot lookup.

Next, we compared the 11,000+ potential cybersquatting domains’ WHOIS records with those of the legitimate companies. Only 451 of them were owned by the imitated entities. Note that the comparisons were easy to do for Cisco since the organization didn’t redact their WHOIS records. It wasn’t as straightforward, however, for Grammarly that had a redacted WHOIS record.

We had to use two filters for the Grammarly look-alike domains. First, we filtered out those that used a different registration organization other than Domains By Proxy, LLC. Next, we took out the digital properties that indicated a registrar name other than GoDaddy.com, LLC. That left us with only 27 domains likely owned by Grammarly out of the total 476 that contained the company’s brand name.

The table below shows the specific WHOIS record details we used to determine ownership.

COMPANYLEGITIMATE DOMAINWHOIS RECORD DETAIL USED AS COMPARISON PARAMETER
Ciscocisco[.]comAdministrative email address:
[email protected][.]com
Grammarlygrammarly[.]comRegistrant organization:
Domains By Proxy, LLC

Registrar name:
GoDaddy.com, LLC

We also obtained screenshots for look-alike domains that could serve as phishing pages or other malware distributors, assuming they did not redirect to other pages. Here are some examples of the suspicious web pages that didn’t share the WHOIS record identifiers we used for Cisco and Grammarly.

And while the content of some of the look-alike domains didn’t sport the spoofed companies’ logos and content, they could easily trick visitors into giving out personal information, putting them in danger of getting phished or scammed. Examples of such suspicious domains hosting pages that offered prizes in exchange for playing a game or account login pages are shown below.


Our IoC expansion analysis aided by IP, DNS, and WHOIS intelligence enabled us to uncover 11,600+ artifacts that could be connected to DarkTortilla. It also allowed us to identify 29 malicious domains that could particularly put Cisco or Grammarly customers at risk of spamming, phishing, and computer malware infection.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.

By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

I make a point of reading CircleID. There is no getting around the utility of knowing what thoughtful people are thinking and saying about our industry.

VINTON CERF
Co-designer of the TCP/IP Protocols & the Architecture of the Internet

Comments

Commenting is not available in this channel entry.

Related

Topics

Threat Intelligence

Sponsored byWhoisXML API

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC