Palo Alto Network, an American cybersecurity company, does not waste any time even on holidays and two days before New Year published their quite informative research on strategically aged domains and what threats they pose. According to the post such domains present risk even greater than those newly registered domains (NRDs). In comparison to the data received in the research, malicious dormant domains having limited traffic for months to years suddenly can gain more than 10.3 times the traffic increase within one day. It’s three times higher than in those newly registered domains.
Nearly 30,000 domains turned out to be malicious
With the help of a cloud-based detector specialists observed domains’ activities and could pinpoint these strategically aged domains. They received nearly 30,000 domains every day using passive domain name system data (A mechanism for storing Domain Name System that afterwards helps in identifying malicious infrastructures). As a result 22.27% of them turned out to be not safe for work, suspicious or malicious.
In conducting their research specialists used information available on SolarWinds supply chain attack (SUNBURST trojan) case. They investigated the malicious campaign to uncover any of its characteristics that could then aid in detecting common advanced persistent threats (APTs). In the course of investigation specialists came across an interesting fact that command and control (C2) domain threat actors registered some years ago before launching vigorous penetration work on the domain.
Strategically aged domains give advantage in time
Palo Alto`s specialists say such kind of behavior is typical for APT attacks when threat actors` trojans stay inactive long in victims’ networks before the operators decide to launch an actual attack. In addition, threat actors register multiple domains. That`s when one of them gets blocked they can quickly restart malicious operations with another. Not only ATP attacks can be successfully carried on strategically aged domains but also black hat search engine optimization (SEO), phishing and command and control. The reason for the strategically aged domains` deployment can be explained in the work of reputation mechanism. It takes longer to detect them because such domains may already develop some friendly reputation over time when they suddenly start malicious activity.
During the mentioned SolarWinds supply chain attack threat actors made trojan exercise domain generation algorithms (DGA). In such a way they exfiltrated the identities of target machines with subdomains. To detect similar APT attacks specialists run a scan of all hostnames. Namely the scan of strategically aged domains pinpointing those with a significant amount of emerging DGA subdomains. Those that can be potentially attacking domains. Results showed about 161 generated DGA subdomains carrying 43.19% of burst traffic.
Specialists broke the scanned domains into four groups: other, not safe for work, suspicious and malicious. Malicious group included phishing, grayware, command and control, malware and other elements detected by VirusTotal vendors. Suspicious group collected together high risk, insufficient content, questionable and parked domains. Gambling, adult, nudity and similar went to the not safe for work group. The rest that could not be identified either way was named the other group. Looking from a percentage perspective 3.8% of strategically aged domains exhibited malicious behaviors. It`s higher than that of NRDs, which is 1.27%.