NordVPN Promotion

Home / Industry

A DNS Deep Dive into FUNULL’s Triad Nexus

Silent Push has been monitoring the FUNULL content delivery network (CDN) for two years now. They believe the network has played host to various cybercriminal campaigns, including investment scams, fake trading app distribution, suspect gambling networks, and the Polyfill supply chain attack.

The researchers discovered that FUNULL currently hosts a malicious domain cluster made up of more than 200,000 hostnames, 95% of which appear to have been created using a domain generation algorithm (DGA), that they have dubbed “Triad Nexus.”

Their study identified 21 subdomains and 42 domains as suspicious indicators, which the WhoisXML API research team expanded. Our analysis led to the discovery of:

  • 113 email-connected domains
  • 33 IP addresses, four of which turned out to be malicious
  • 274 IP-connected domains, one of which turned out to be associated with threats
  • 144 string-connected domains
  • 11,428 string-connected subdomains, 16 of which turned out to be malicious

A sample of the additional artifacts obtained from our analysis is available for download from our website.

About the Triad Nexus Suspicious Indicators

We began our analysis of Triad Nexus with a bulk WHOIS lookup for the 42 domains identified as suspicious indicators. We found out that:

  • Only 41 of the domains had current WHOIS records.
  • They were distributed among six registrars topped by Gname.com Pte. Ltd. with 26 domains. GoDaddy.com LLC took the second spot with 10 domains. NameSilo LLC came in third place with two domains. Finally, Go Canada Domains, Inc.; Go Montenegro Domains LLC; and Namecheap, Inc. accounted for one domain each.
  • They were registered between 2002 and 2024, implying that the threat actors did not discriminate in terms of domain age. Note, though, that more than half of the suspicious domains, 27 to be exact, were newly registered.

  • They were spread across five registrant countries led by Malaysia, which accounted for 20 domains. The U.S. came in second place with 14 domains. Croatia bagged third place with five domains. China and Iceland completed the list with one domain each.

From the Triad Nexus Suspicious Indicators to Artifacts

As the first step in our suspicious indicators expansion, we queried the 41 suspicious domains on WHOIS History API. They led to the discovery of seven email addresses, four of which were public.

Using the four public email addresses as search strings for Reverse WHOIS API allowed us to obtain 113 email-connected domains after filtering out duplicates and the suspicious domains.

Next, we performed DNS lookups for the 41 suspicious domains and found that 34 of them actively resolved to 33 IP addresses to date after removing duplicates.

Threat Intelligence API queries for the 33 IP addresses showed that four were associated with various threats. The IP address 76[.]223[.]67[.]189, for instance, has been involved in command and control (C&C), generic threats, malware distribution, phishing, spam campaigns, and suspicious activities.

A bulk IP geolocation lookup for the 33 IP addresses revealed that:

  • They were spread across five geolocation countries led by Japan, which accounted for 13 IP addresses. The remaining countries included China with nine IP addresses, the U.S. with six, Vietnam with four, and Argentina with one.
  • They were distributed among six different ISPs topped by Amazon.com/Amazon AES, which accounted for 13 IP addresses. BGP Network Limited followed with eight IP addresses. RAKsmart accounted for three IP addresses while Cloudie accounted for two. CNSERVERS and Microsoft accounted for one IP address each. Finally, five IP addresses did not have ISP information.

Additionally, we determined the historical IP resolutions of the 41 suspicious domains using DNS Chronicle Lookup. Thirty-six had historical A record data. In particular:

  • The domain polyfill[.]io resolved to more than 100 IP addresses since 4 October 2019.
  • The 36 suspicious domains have had between one and 100+ active IP resolutions with the first seen dates ranging from 4 October 2019 to 12 October 2024.
  • The suspicious domain valentinogtm[.]com has had the least number of IP resolutions—one—since 12 October 2024.

This post only contains a snapshot of the full research. Download the complete findings and a sample of the additional artifacts on our website or contact us to discuss your intelligence needs for threat detection and response or other cybersecurity use cases.

Disclaimer: We take a cautionary stance toward threat detection and aim to provide relevant information to help protect against potential dangers. Consequently, it is possible that some entities identified as “threats” or “malicious” may eventually be deemed harmless upon further investigation or changes in context. We strongly recommend conducting supplementary investigations to corroborate the information provided herein.

BLACK FRIDAY DISCOUNT - CircleID x NordVPN
Get NordVPN  [74% +3 extra months, from $2.99/month]
By WhoisXML API, A Domain Research, Whois, DNS, and Threat Intelligence API and Data Provider

Whois API, Inc. (WhoisXML API) is a big data and API company that provides domain research & monitoring, Whois, DNS, IP, and threat intelligence API, data and tools to a variety of industries.

Visit Page

Filed Under

Comments

Commenting is not available in this channel entry.
CircleID Newsletter The Weekly Wrap

More and more professionals are choosing to publish critical posts on CircleID from all corners of the Internet industry. If you find it hard to keep up daily, consider subscribing to our weekly digest. We will provide you a convenient summary report once a week sent directly to your inbox. It's a quick and easy read.

Related

Topics

Cybersecurity

Sponsored byVerisign

Domain Names

Sponsored byVerisign

Threat Intelligence

Sponsored byWhoisXML API

DNS

Sponsored byDNIB.com

IPv4 Markets

Sponsored byIPv4.Global

Brand Protection

Sponsored byCSC

New TLDs

Sponsored byRadix

NordVPN Promotion