Ntraffic observation from domains that do not give for a long time signs of life, but suddenly wake up, reveals new tactics of hackers, found a study by the security unit Unit 42 of Palo Alto Networks.
It turns out that 22.27% of long-established sites are malicious, suspicious or dangerous to use. The study is provoked by the fact that during the attack on SolarWinds the malicious Trojan used DGA (algorithms for generating domains) to output data from target systems to subdomains.
Experts have studied the problem of timely identification of domains that cybercriminals register and leave inactive – to have a clean reputation at the time of the attack and thus deceive security filters.
In September last year experts monitored sleeping hosts, recording the dynamics of DNS traffic. It turns out that the domains of legitimate companies preparing for the future are gradually coming to life, and the traffic of domains belonging to cybercriminals may increase 10 times a day.
It is this dynamic that allows experts to identify an average of 26,000 potentially dangerous hosts per day. At the end of the study, it was found that 3.8% of the monitored sites are openly malicious, 19% are suspicious, and 2% are unreliable as a work environment.
In addition to the sudden and sharp jump in traffic, experts point to bad / copied / incomprehensible content, the lack of applicant data in the WHOIS database, and the presence of many DGA-generated subdomains as sure signs of maliciousness.
Attackers typically use DGA to protect their C2 servers (command and control) from detection. Monitoring based on this indicator alone gives two positive results every day; upon their “awakening”, hundreds of thousands of subdomains were immediately declared.
An excellent example of this is the Pegasus summer campaign; two of its C2 domains were registered in 2019 and woke up last July with a high percentage of DGA traffic (23.22% at the beginning and 42.04% after a few days, according to Palo Alto Networks).
Domains created with the help of DGA are also used for concealment by phishers, as a proxy layer for dividing the traffic of bots – for search and analysts (directed to legitimate sites) and for potential victims (directed to lure pages).
Finally, DGA is used for the so-called. black optimization. Scammers link multiple web pages to the same IP address to increase the domain ranking of search engines. Reputation filters tend to pay less attention to respectable domains than beginners who a priori find them suspicious.
Research has shown that domains that sleep for many months or even years are more likely to present an unpleasant surprise – according to experts, the probability is three times higher.