DomainTools Research Uncovers Additional Infrastructure Related to Recent Malware Campaigns Targeting Windows & Android Users
Recent posts related to a typosquatting malware campaign targeting Windows and Android users (as well as a host of cryptocurrency and other services) caught our attention and we felt it was important to contribute to the effort in identifying and combating these types of attacks.
Collaboration and publicly sharing information to help defend users and the services they rely on is a significant part of our mission at DomainTools to fight every day for a safe, secure, and open Internet for everyone. We applaud this effort to highlight the existence of these domains, though we fear this is only the tip of the iceberg.
Using DomainTools data, our researchers uncovered several pivots that suggest a much larger set of domains associated with this active campaign. When DomainTools researchers include DNS-based pivots that go beyond the host’s IP address, the list of suspicious domains grows to more than 600 as of now, with 9 of these created in the last week and well over 400 still active and not yet on common 3rd party threat intel feeds and blocking lists.
Registration and SOA Patterns Uncover Malicious Domains
Reviewing Whois adjacent “start of authority” (SOA) records within DomainTools Iris Investigate shows the true depth and breadth of the actor activity. While most of the domain registrations took place in the second half of 2022, records show ones dating back to the fall of 2021. For a complete list of the more than 600 identified domains, please click here for further information.
Reviewing the new domains, all look to use similar web page designs as possible lures. If they follow a similar pattern, they would deliver a variety of malware, most of which is designed to achieve persistence on the infected device as well as potential use for the delivery of future lures to unsuspecting targets. With the connection to the ever-popular Vidar stealer and other malware, one can reasonably conclude that the ultimate goal of such activity is to steal credentials to app accounts, crypto wallets, etc., and perhaps to use infected hosts as proxies for further malicious activity.
While we have not validated any specific malicious sites, we believe it’s important to make the public aware of the full scope of activity tied to this campaign, and we strongly suggest people avoid these domains until security researchers can investigate and determine which ones are malicious. This scenario is a good example of where defenders can benefit from pivoting using domain-related data sets and be comfortable flagging questionable domains.