Today’s post highlights a whole lot of bad stuff—and serves as an excellent example of how different cyber threat actor techniques link together in a single campaign.
This RiskIQ web crawl features domain infringement monitoring on our demo workspace that identifies a domain that has likely been compromised and rigged with a script tag to a malicious redirector known as Pseudo Darkleech, which we’ve covered here. The redirector, in turn, pushes this traffic to an instance of the RIG exploit kit.
The first site in the sequence, compromised with the malicious script tag, looks like it belongs to an Italian music group. However, consumers may very well associate part of its URL with a certain well-known brand. Therefore, in this case, the domain infringement may not be deliberate, but nevertheless can be consequential for the brand.
Taking a look at this cyber threat actor’s infrastructure, we can see that “caponebungtbangt.com” wasn’t the only compromised site used in the attack. In PassiveTotal, RiskIQ’s cyber threat research tool, we can see the WHOIS data for the third site in the sequence, “rt.kathrynjalimanart.com”, the one hosting the exploit kit. With a convincing name and (ostensibly) real address, it seems to be a legitimate registration, which means the registrant was likely a victim of Domain Shadowing.
Domain shadowing is a quick and efficient way for cyber threat actors to deploy a vast infrastructure by hijacking user accounts of existing, registered, and otherwise trustworthy web domain. Once they gain access, they can use the parent domain for cyber attacks and register a large number of unauthorized subdomains, which are difficult to detect because they are associated with the reputable compromised domain and often don’t follow any discernible pattern.
Pivoting on the registrant information in PassiveTotal, we can see that many of the domains belonging to this registrant seem to be related to skin care. Given that we know his GoDaddy account has been compromised, we must assume at least a few of these sites are being used by this cyber threat actor or others for similar nefarious purposes.
Sure enough, the first domain I clicked on in PassiveTotal began resolving to a new IP address on March 3, 2015, which may indicate the domain fell into the wrong hands. Pivoting on that address, we see thousands of other domains resolving to it, many of which are flagged by Virustotal and blacklisted by RiskIQ.
Stay safe out there
The domain infringement use case in which several cyber threat actor techniques cause unwitting users to associate a site that leads them to malware with a brand that holds value for a customer is important—and a valuable source of traffic in our crawler. As seen above, RiskIQ is well-suited to detect different each of the different techniques employed by the cyber threat actors in this post.
Questions? Feedback? Email firstname.lastname@example.org to contact our research team.