No one is as excited about opening a can of worms as people in the cybersecurity community, including us. While threat hunting has become quite challenging, partly because of WHOIS data redaction, the DNS continues to provide clues.
In this post, we intend to demonstrate how one malicious domain can lead to multiple other dangerous web properties using the Domain Research Suite (DRS), a 9-in-1 domain search and monitoring platform. And with the holiday season coming up, what better way to do that than to use a domain that may have figured in parcel delivery scams or malware delivery?
We started our investigation with the domain deliveryrescheduled-auspost[.]com, which seemingly targeted Australia Post customers. We ended up with 1,871 suspicious domains. Here's a step-by-step guide on how we did the investigation.
The first step is to ensure the suspected domain name has indeed been reported as malicious. We used the Threat Intelligence Platform (TIP) for that. The tool’s malware database check detected that deliveryrescheduled-auspost[.]com is indeed dangerous to access.
But even when a suspicious domain hasn’t been reported by malware engines yet, you can follow your gut and proceed to the next step.
Now that the domain’s nefarious nature has been confirmed, we can dig deeper by looking at its WHOIS records. For that, we used WHOIS Search.
At first glance, we can deduce from the website screenshot that the operators installed the NGINX web server software. However, the corresponding configuration hasn’t been completed yet or the website may have been taken down.
Either way, you can scroll down the WHOIS search results until you find the Registrant Contact details.
The WHOIS records of deliveryrescheduled-auspost[.]com are unredacted, so you can pivot off one data point to retrieve other domains registered using the selected registrant information. In this demonstration, we chose the registrant’s email address.
Click the WHOIS record and select Build current Reverse WHOIS report.
This action returned 1,712 domain names with the same email address in their current WHOIS records.
Note that selecting Build historic Reverse WHOIS report would give you the historical footprint for that email address, which in turn returns an additional 200 or so domains.
Aside from WHOIS-connected domains, we can also retrieve a list of digital properties that resolve to the malicious domain’s IP address. To do that, go to Reverse DNS Search and type the domain name into the Obtain connected domains search box.
We found 159 domains that shared the IP host of deliveryrescheduled-auspost[.]com. That brings the total number of currently related domains to 1,871.
When we performed a bulk malware check on the connected domains, we found that about 17% have been flagged as malicious. That includes other courier-themed domains, such as:
We discovered other attack vector types. For instance, we found several banking-related domains that have already been used in malicious campaigns. A few of them even posed as part of fraud team efforts, such as:
Several malicious domains appeared to have been created using domain generation algorithms (DGAs), too. These include:
—
Keep in mind that we uncovered these malicious properties by following the WHOIS and DNS footprints of one domain—deliveryrescheduled-auspost[.]com. By doing so, we found more suspicious domains, many of which have already been weaponized. The threat actors behind these properties may be waiting for the right time to activate some of the dormant domains.
You can also perform a similar investigation. Access DRS if you are an existing user or sign up for a free trial plan if you are a first-timer.