Exploring the Problem with Newly Registered Domains

The Problem with Newly Registered Domains

May 11, 2017, Forrest Gueterman

Newly registered domains are an effective tool for threat actors.

Threat actors often create new infrastructure quickly, engaging in their attack campaigns and then ducking and running in a matter of hours or even minutes. From a security perspective, there are very few reasons someone would need to visit a domain that has just come online; likely, they were sent there via a URL from a malicious campaign.

Here at RiskIQ, we analyze quite a bit of the internet on a daily basis, and one of the insights that come with this is that we should treat newly registered domains with quite a bit more suspicion than established ones. With the large quantity of cheap and free domain registrations available out there, threat actors are using newly registered domains to prop up disposable websites to aid in their activities quickly and efficiently.

As an example, here’s an adult website from a recent RiskIQ blacklist incident showcases the trouble with newly registered domains with one of its dependent requests. An iframe on the page has a source of hxxp://procese[.]info/banners/uaps?, which, at the time of the crawl, had only been registered for fourteen days, an indicator that it may be part of malicious infrastructure:

At RiskIQ we analyze a lot of data, and if there's one thing we've learned it's that we should treat newly registered domains with quite a bit of suspicion.

Fig-1 PDNS data inside RiskIQ PassiveTotal showing when this domain began resolving

This specific URL does a couple of different things. The first is it runs a function called “getBrowser” which does exactly what you would expect it to do: grabbing the browser user agent and some other information to attempt to find out if the potential victim is a bot or not.

At RiskIQ we analyze a lot of data, and if there's one thing we've learned it's that we should treat newly registered domains with quite a bit of suspicion.

Fig-2 Part of the getBrowser function

If the victim’s information did not match certain criteria, a variable would be set to true. This variable is later checked, and if set to true, the page would be changed to look like a 404 message from an Apache Debian Server. However, RiskIQ’s crawlers were created to mimic real users and could easily bypass this page’s fingerprinting attempts. Because of this unique capability, the crawler reached the second part of the page. Once it was decided that there was no bot, the “victim” was sent elsewhere:

At RiskIQ we analyze a lot of data, and if there's one thing we've learned it's that we should treat newly registered domains with quite a bit of suspicion.

Fig-3 Contents of the Javascript frame that the page created after the fingerprinting passed

The next page the crawlers were sent to was a URL on hxxp://ssd.onlinedisabilityinsurancesanantonio[.]com. A look at the raw page XML showed the following:

At RiskIQ we analyze a lot of data, and if there's one thing we've learned it's that we should treat newly registered domains with quite a bit of suspicion.

Fig-4 Part of the raw page XML

This chunk of code is part of the base 64 encoded RIG exploit kit that is waiting for the redirected victims to be redirected to the malicious landing page. RIG is a common exploit kit that uses several layers of obfuscation to attempt to deliver its various payloads, with the end goal of downloading malware onto the victim’s computer.

Find Newly Registered Domains with RiskIQ Data

New or recently created domains may help confirm suspicions about malicious activity, as many domains are registered shortly before staging an attack. This may indicate dedicated attacker domain ownership and can strengthen an observation’s value as an indicator of compromise. On the other hand, domains with older registration dates may indicate the use of compromised hosts, hijacked domains, or purchase of older domains from a reseller service.

WHOIS is a protocol that lets anyone query for ownership information about a domain, IP address, or subnet. RiskIQ has a vast database of WHOIS data, which is available to query for registrant information. WHOIS records provide information that includes the name, email address, street address, and phone number of the individual who registered the domain, but also the date it was registered.

Organizations can also use the RiskIQ Newly Observed Domains data set to systematically block new domains (via a web filter or firewall) for a set amount of time after they’re first observed. This can act as an added layer of protection against quick attack campaigns.

RiskIQ data sets can be used by security professionals and threat analysts to connect the dots between threat infrastructure and understand the attack vectors and patterns used by attackers. Register for RiskIQ Community for free to begin using data sets such as newly observed domains and start surfacing threats against your organization.

Share This