Taking control of victims’ accounts is typically the end goal of many cybercriminals, and they never cease to come up with wily ways to do so. Bleeping Computer researchers recently spotted hackers spreading malware mayhem through Google search ads supposedly pointing to open-source software download sites.

WhoisXML API researchers subjected the list of indicators of compromise (IoCs) compiled by CronUp’s Germán Fernández—68 domains to be exact—to an expansion analysis and found:

• Two unredacted registrant email addresses from the IoCs’ current WHOIS records that led to 18 email-connected domains
• Two IP addresses to which the IoCs’ resolved, both of which were found malicious
• 329 IP-connected domains, five of which turned out to be malicious
• 84 string-connected domains, two of which were malicious
• 387 domains that contained the 11 software brands the attackers targeted, 27 of which were confirmed malware hosts

A sample of the additional artifacts obtained from our analysis is available for download from our website.

WHOIS Connections Uncovered

We began our in-depth look into the threat with a bulk WHOIS lookup for the domains identified as IoCs that allowed us to identify these similarities:

• All of the IoCs were registered with PDR Ltd.
• A majority of the IoCs, 71% to be exact, were recently created—just this year, while the remaining 29% were created last year.
  
  

  

• The IoCs’ registrants were spread across six countries—Canada (60%), France (13%), the U.S. (12%), Ukraine (10%), Poland (3%), and Russia (1%).
  
  

  

• Five of the IoCs indicated unredacted registrant email addresses in their records.

Advanced reverse WHOIS searches for the email addresses showed they were used to register 19 other domains not included in the IoC list. Given their connection to the IoCs, they may warrant monitoring for signs of suspicious activity at least.

DNS Connections Unraveled

In an effort to find more digital breadcrumbs, we looked at DNS connections next, starting with DNS lookups that uncovered two of the IoCs’ IP hosts—74[.]119[.]239[.]234 and 185[.]149[.]120[.]133—both of which turned out to be malicious. Organizations that allow employees to download and use open-source software would do well to block access to these dangerous web properties—one geolocated in the U.S. and the other in Russia.

Reverse IP/DNS lookups then led to the discovery of 329 more domains, five of which were found to be malicious. And like the IoCs, two of these hosted what seemed to be Audacity download pages based on screenshot lookup results, making them appear to be related to the threat.

To find more possibly connected web properties, we turned to a string analysis. We used the unique strings found among the IoCs listed below as Domains & Subdomains Discovery search terms.

• vilc.
• tecinovations.
• tecinnovations.
• tecinnovation.
• techinovation.
• qobstreamsviews.
• qobstreamsview.
• ostreeming.
• odstreamsviews.
• odstraeming.
• obstremswiev.
• obstremsview.
• obsspro.
• obsproect.
• obrproject.
• obpproject.
• obmprolect.
• oblproject.
• obcprolect.
• obcproect.
• godstreamsviews.
• godstreamsview.
• glmps.
• audasite.
• audacslty

Through this approach, we compiled a list of 84 more domains, two of which—tecinovations[.]space and tecinovations[.]online—turned out to be malicious.

Given their obvious similarity with the IoC tecinovations[.]pw (they only differed in terms of TLD extension) and that they were confirmed malware hosts, it would be a good precaution to block access to and from these properties. And while the remaining 82 domains are currently considered nonmalicious, they may still warrant monitoring given that they look like the other IoCs and just sported different TLD extensions.

One nonmalicious domain—obsspro[.]pw—proved particularly interesting, though, since it hosted the same content as the malicious IP-connected domains and Audacity-related IoC.

Less Obvious Connections, Perhaps?

The Bleeping Computer study mentioned 11 open-source software they saw rogue Google search result pages for, namely:

• 7-Zip
• Blender 3D
• Capcut
• CCleaner
• Notepad++
• OBS
• Rufus
• VirtualBox
• VLC Media Player
• WinRAR
• Putty

We looked for domains containing their names plus the string download (e.g., 7-zip + download) to see how many were owned by their developers and if any of the typosquatters were malicious. Our search identified an additional 387 domains, 27 of which were confirmed malicious.

WHOIS record detail comparisons also showed that none of these web properties were owned by the developers of the imitated software. Note, however, that due to the fact that only seven of the 11 developers had unredacted WHOIS records, we weren’t able to confirm the legitimacy of domain ownership for 7-Zip, Notepad++, Rufus, and VirtualBox.

Our IoC list expansion analysis led to the discovery of 822 digital properties—email addresses, IP addresses, and domains—that could be tied to the rogue software attack that used Google search ads as entry vectors. More notably, it allowed us to identify 36 malicious IP addresses and domains not in the original IoC list, some of which bore starkling resemblances to the IoCs.

If you wish to perform a similar investigation or get access to the full data behind this research, please don’t hesitate to contact us.