Keypoints
- Citizen Lab identified 132 IoCs (123 domains, 9 IPs) tied to the PAPERWALL campaign targeting local news outlets.
- Bulk WHOIS lookups showed all 123 domains were registered via GoDaddy.com LLC and mostly registered in the U.S. between 2019–2023.
- WHOIS History and Reverse WHOIS revealed 56 historical emails and 33 public registrant emails that linked to 681 additional email-connected domains.
- DNS lookups produced one extra IP (128.14.74.124) and reverse IP lookups revealed timesnewswire[.]com as an IP-connected domain still hosting news content.
- Domains & Subdomains discovery found 193 string-connected domains (one, updatenews[.]me, associated with malware) and 57 accessible sites, 17 resembling news feeds.
- IP geolocation showed IoC IPs distributed across the U.S., Germany, Japan, and South Korea and administered mainly by Tencent-related ISPs and Zenlayer.
- Searches for common news-related strings (e.g., “daily”, “diario”) uncovered thousands of similar domains created since 2024, some flagged for phishing or malware.
MITRE Techniques
- [T1583.001] Acquire Infrastructure: Domains – Operators registered large numbers of lookalike/news-themed domains via a registrar to host influence content (‘All of them were obtained from GoDaddy.com LLC.’).
- [T1583.003] Acquire Infrastructure: Infrastructure as a Service – Content and hosting were served from cloud providers/ISPs (e.g., Tencent Cloud, Zenlayer) to publish materials (‘administered by Shenzhen Tencent Computer Systems Company Limited’ and additional host by Zenlayer, Inc.).
- [T1036] Masquerading – Use of news-related strings and publication-style names to impersonate legitimate media and appear as news outlets (‘The news-related text strings that appeared most among the 123 domain IoCs were daily and post.’).
- [T1566.002] Phishing: Link – Some newly discovered domains were used for phishing or hosting malicious content, indicating abuse of lookalike domains to deliver links (‘five of them were malicious. Four, in particular, were associated with phishing while one with a malware attack.’).
- [T1590] Gather Victim Identity Information (via Open Sources) – Use of WHOIS History, Reverse WHOIS, and reverse IP to link registrant emails and discover related domains and infrastructure (‘WHOIS History API searches … led to the discovery of 56 email addresses …’ and ‘we uncovered 681 email-connected domains’).
Indicators of Compromise
- [Domain] reported IoCs and connected domains – timesnewswire[.]com, updatenews[.]me, and 121 other domain IoCs reported by Citizen Lab.
- [IP address] IoC and additional hosts – 128.14.74.124 (additional IP discovered), plus nine reported IoC IPs geolocated across the U.S., Germany, Japan, and South Korea (several administered by Shenzhen Tencent Computer Systems Company Limited and Tencent Cloud Computing (Beijing) Co.).
- [Registrant emails] WHOIS-derived emails linking domains – 33 public registrant email addresses found in WHOIS history (specific addresses not listed in article) that tied to 681 email-connected domains.
- [Domain string indicators] Frequently used news strings – ‘daily’, ‘diario’, ‘post’ appearing in many IoCs and connected domains (e.g., 5,277 ‘daily’ domains created since 2024 and 289 ‘diario’ domains found).
- [Malicious association] Domains flagged by Threat Intelligence – updatenews[.]me (associated with a malware attack) and five ‘daily’ domains created since 2024 flagged (four for phishing, one for malware).
We analyzed the technical discovery steps and results: starting with the 123 domain and 9 IP IoCs reported by Citizen Lab, researchers performed bulk WHOIS lookups (finding all domains registered via GoDaddy and registrant country data), WHOIS History searches (yielding 56 historical emails and 33 public emails), and Reverse WHOIS queries to pivot from those emails to 681 additional email-connected domains. Bulk IP geolocation for the nine IoCs identified hosting across four countries and major administration by Tencent-related providers; DNS lookups added one more host (128.14.74.124) and reverse-IP lookups exposed timesnewswire[.]com as an IP-connected domain still publishing news content.
Next, investigators used Domains & Subdomains Discovery with the most common news-like strings from the IoCs (examples: ‘daily’, ‘diario’, and specific name fragments from the IoCs list) to enumerate 193 string-connected domains after filtering duplicates and known entities; Threat Intelligence API flagged updatenews[.]me as associated with malware, Screenshot API showed 57 accessible pages and 17 that resemble news feeds, and Threat Intelligence checks found several recently created ‘daily’ domains tied to phishing or malware. The workflow combined WHOIS, historical WHOIS, Reverse WHOIS, DNS and reverse-IP lookups, IP geolocation, screenshoting, and threat-intel queries to map infrastructure and assess potential abuse for influence operations.
Key measurable outcomes: from 132 initial IoCs the DNS-focused process uncovered 681 email-connected domains, one additional IP (128.14.74.124), one IP-connected domain (timesnewswire[.]com), and 193 string-connected domains (including one known-malicious updatenews[.]me), demonstrating how threat actors can scale influence infrastructure via mass registrations and cloud hosting and how open-source DNS/WHOIS pivots reveal broader attack surfaces.
Read more: https://circleid.com/posts/20240316-searching-for-potential-propaganda-vehicle-presence-in-the-dns