Home / Industry

Examining WoofLocker Under the DNS Lens

WoofLocker tech support scams have been wreaking havoc since 2017 but the threat actors behind it don’t seem to be done yet. In fact, the threat may have become even more resilient. Apart from using compromised sites as distribution vectors, WoofLocker started employing a complex traffic direction scheme.

AlienVault OTX has identified 346 domains and 438 IP addresses as WoofLocker indicators of compromise (IoCs) to date. But given the threat’s eight years of existence, how sure are we that no other web properties have fallen through the cracks? We sought to find out.

Our DNS deep dive into WoofLocker revealed:

  • 17 unreported IP addresses to which some domains identified as IoCs resolved
  • 1,194 unpublished domains that shared some of the IoCs’ dedicated IP hosts
  • 18 malicious IP-connected domains based on a bulk malware check

A sample of the additional artifacts obtained from our analysis is available for download from our website.

Under the WoofLocker Hood

With eight years of operation and running in its belt, you would expect WoofLocker to have employed various registrars, a good mix of aged and newly registered domains (NRDs), and a widely spread out infrastructure worldwide. Was that the case, though? We trooped to the DNS to find out.

Domain IoC Analysis

First off, we subjected the domains identified as IoCs to a bulk WHOIS lookup, which led to these discoveries:

  • Only 32 of the 346 domains had current WHOIS records, 61% of which were administered by NiceNIC International Group Co. Limited, Hosting Concepts B.V. (four IoCs) and CommuniGal Communication Ltd. and PDR Ltd. (two IoCs each) rounded out the top 3 registrars.
  • A good number of the domains (78%) were NRDs while the remaining 19% were also fairly new, created in 2021 and 2022. One didn’t have a recorded creation date.
  • A majority of the IoCs (19 domains) were registered in China. The remaining were spread out across four other countries—five in the U.S., four in the Netherlands, and two each in Romania and Russia.

  • The two domains registered in Romania—mylandings[.]us and ourlovestories[.]us—had the same public registrant Gmail email address. A reverse WHOIS search for the email address, however, turned up more than 10,000 domains, which could mean its owner was a domainer.
IP IoC Analysis

Next up, we scrutinized the IP addresses classified as IoCs via a bulk IP geolocation lookup, which uncovered:

  • A majority of the IP addresses (283 IoCs) were geolocated in the U.S. The Netherlands (141 IoCs) and Canada (nine IoCs) rounded out the top 3 geolocation countries.
  • The IoCs were spread out across 17 Internet service providers (ISPs) led by DigitalOcean LLC, which accounted for 251 IP addresses. The Constant Company LLC (135 IoCs) and Choopa (26 IoCs) completed the top 3.

Our domain and IP IoC analyses provided a few answers to the questions we posed earlier. Despite WoofLocker’s long-running tech support ruse, the threat actors employed a limited number of registrars (nine) and ISPs (12). Seemingly, they also showed a preference for NRDs, as only 32 out of 346 domains had current WHOIS records. It’s possible that the domains without current WHOIS records were deliberately left to expire or taken down.

And finally, their infrastructure seemed to span only a few countries distributed across the world’s continents—five current registrant countries and eight IP geolocation countries.

WoofLocker IoC Deep Dive

We also posed other questions regarding the inner workings of WoofLocker.

First, we wanted to find out if given the threat’s years-long existence we could uncover unpublicized artifacts. DNS lookups for the domains identified as IoCs led to the discovery of 17 additional IP addresses—12 IPv4 and five IPv6 addresses.

That brought our total number of IP addresses (IoCs and artifacts combined) to 451. To limit false positives, we decided to focus only on those that were dedicated. That left us with 104 IP addresses to further analyze.

Reverse IP lookups for the 104 IP addresses led to the discovery of 1,194 connected domains. A bulk malware check showed that 19 of them were malicious. Two of the dangerous properties continue to host live content to this day, one looks to be a news site while the other appears to be a blog.

Screenshot of 0x0ff[.]info
Screenshot of dariamariposa[.]com

One tidbit about WoofLocker also caught our attention—the operators’ penchant for compromising adult sites to serve as scam vehicles. Does that mean the owners of non-adult websites need not worry about becoming unwitting fraud participants?

To find out, we subjected the domains identified as IoCs to a closer examination. We sought to identify recurring text strings that appeared more than once among the IoCs. We named 52 strings led by official, which appeared in 51 domains. Zone closely followed in second place, appearing in 50 IoCs. Fun, seen in 41 domains, rounded out the top 3. Take a look at a visual representation of our text string analysis below.

The domains containing top 3 strings official, error, and help, such as errorhelpline24x7msofficialsoftwareerrorcodex16[.]monster, errorhelpline24x7msofficialsoftwareerrorgh001[.]monster, and errorhelpline24x7msofficialsoftwareerrornew06[.]monster, all seemed to point to supposed Microsoft helpline sites in support of WoofLocker’s chosen tactic—tech support scams. Most of them (123 domains to be exact) also sported the .monster TLD.

Also, possibly in connection to WoofLocker’s preference for adult sites, around 200 domains appeared to point to dating sites. That doesn’t mean the owners of non-adult-related websites would remain safe, though. We also found other strings like cloud, design, logo, recipe, and storage.


Our WoofLocker IoC expansion analysis allowed us to answer questions that piqued our curious minds about the threat. Despite its age, the scammers limited their infrastructure components to a few providers and locations. They also seemingly favored employing NRDs and new gTLDs as campaign vehicles. Last but definitely not least, though they’ve been known to prefer compromising adult-related sites, they could also be trailing their sights on cloud, design, storage services, and cooking websites.

If you wish to perform a similar investigation or learn more about the products used in this research, please don’t hesitate to contact us.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

BLACK FRIDAY DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

New TLDs

Sponsored byRadix

IPv4 Markets

Sponsored byIPv4.Global

DNS

Sponsored byDNIB.com

Threat Intelligence

Sponsored byWhoisXML API

Cybersecurity

Sponsored byVerisign

Brand Protection

Sponsored byCSC

Domain Names

Sponsored byVerisign