This detailed document presents a comprehensive analysis of DNS hijacking activities carried out by various cybercriminal groups, specifically focusing on operations identified as “DNS Predators,” involving threat actors like Vipers and Hawks. Here’s a summary of the key points:
Attack Campaigns Overview
1. Hasty Hawk Campaigns:
• Domain Hijacking: Domains like aventodesigns.com and twilliroll.com were compromised and used to redirect users to phishing sites.
• Redirections: The actors dynamically altered their attack themes, targeting different geographical locations with localized fake content. For example, visitors from Germany saw a spoofed EU donation page, while those from Canada were redirected to a fake DHL shipping page.
2. VexTrio Viper:
• Massive TDS Infrastructure: Leveraging a Traffic Distribution System (TDS), VexTrio Viper utilized hijacked domains for widespread redirection to scams, including fake dating sites and pharmaceutical campaigns.
• Hijacking Tactics: They targeted aged domains, previously used by legitimate organizations, and exploited weaknesses in DNS providers like DigitalOcean and DNS Made Easy (DME).
• Examples of Hijacked Domains: mpinc.com, initially used by a research institute, was hijacked and redirected to dating scam sites.
3. AntiBot Cloud Utilization:
• Affiliates used AntiBot Cloud, a service originally from Russia, to filter traffic and evade security detection. This service allowed them to bypass bot detection and increase the effectiveness of their phishing and malware distribution campaigns.
4. GoRefresh Affiliate Activities:
• This affiliate focused on pharmaceutical scams and participated in redirecting traffic to other VexTrio affiliates using hijacked domains and HTML meta refresh techniques to avoid detection.
5. Rotational Hijacking:
• A common tactic where hijacked domains are sequentially taken over by multiple threat actors. For instance, mcpennsylvania.com was hijacked first by Vacant Viper, later by a VexTrio affiliate, demonstrating a cycle of short-term exploitation by different groups.
Indicators of Compromise (IoCs)
The document lists various IoCs, including hijacked domain names like:
• mpinc.com, missouri.com, and iccps.org
• URLs associated with malware downloads, such as AsyncRAT and DarkGate
• FQDNs used in the AntiBot Cloud service: antibotcloudapi.com, ipv4.mikifox.com
Mitigation Recommendations
The report emphasizes the need for:
• Enhanced vigilance from domain registrants and DNS providers to detect and respond to unauthorized changes.
• Improved detection mechanisms for hijack attempts, especially on aged or abandoned domains with high reputations.
This document serves as a critical reminder of the sophisticated methods threat actors employ to exploit DNS weaknesses, stressing the importance of active monitoring and mitigation efforts to prevent domain hijacking incidents.
For more details, please visit infobox:Here
News Source:InfoBlox,This article does not represent our position.
