Domain shadowing is a stealth DNS hijacking technique where attackers create malicious subdomains under compromised domains, leveraging their benign reputation to carry out phishing, malware distribution, and C2 activities. Palo Alto Networks introduces an automated ML-based detector that analyzes terabytes of passive DNS logs to identify shadowed domains, finding hundreds daily and highlighting detection challenges for traditional methods. #DomainShadowing #ShadowedDomains #BarwonBluff #HalontAU #ElitePackaging #Snaitech
Keypoints
- Domain shadowing is a subcategory of DNS hijacking where attackers insert subdomains under a compromised domain while keeping existing records intact.
- Shadowed domains inherit the compromised domain’s benign reputation, enabling long-term stealth for phishing, malware, or C2 activities.
- Traditional threat research methods are slow and labor-intensive for detecting shadowed domains; automated ML pipelines can scale detection using passive DNS data.
- A two-month study found 12,197 shadowed domains identified, but VirusTotal flagged only about 200 as malicious, underscoring detection gaps.
- The article provides a phishing campaign example using 649 shadowed subdomains under 16 compromised domains (e.g., bancobpmmavfhxcc.barwonbluff.com.au; carriernhoousvz.brisbanegateway.com).
- Palo Alto Networks offers protection against shadowed domains via DNS Security, Advanced URL Filtering, and Cortex XDR for detection and response.
- Automated shadowed-domain detection is crucial because many shadowed domains remain undetected by conventional security telemetry.
MITRE Techniques
- [T1583] Acquire Infrastructure – Domain Registration – Attackers compromise domain names or create shadowed subdomains to host malicious infrastructure. “Domain shadowing is a subcategory of DNS hijacking, where attackers stealthily insert subdomains under the compromised domain name.”
- [T1566.001] Phishing – Spearphishing Link – The phishing campaign leverages shadowed domains to host a landing page that steals credentials. “phishing campaign leveraging 649 shadowed subdomains under 16 compromised domains” and “phishing landing page wants to steal Microsoft user credentials.”
- [T1071.001] Web Protocols – C2 over Web Protocols – Shadowed domains can be used as a proxy domain to conceal C2 communication. “as a proxy domain to conceal C2 communication.”
Indicators of Compromise
- [Domain] Shadowed and compromised domains – halont.edu.au, barwonbluff.com.au, elitepackagingblog.com
- [IP Address] 103.152.248.148, 27.131.74.5
- [URL] https://login.elitepackagingblog.com/common/oauth2/v2.0/authorize?client_id=4765445b-32c6-49b0-83e6-1d93765276ca&redirect_uri=https%3A%2F%2Fwww.office.com%2Flandingv2&response_type=code%20id_token&scope=openid%20profile%20https%3A%2F%2Fwww.office.com%2Fv2%2FOfficeHome.All&response_mode=form_post&nonce=637823463352371687.MDY0MjMzYjMtOWNlZC00ODA5LWE1YWQtOWMyMTIwYTZiOTIwODZiNTMyN2MtZWQ3ZC00Mzg4LWJjMzktNGQxYjQ1MDFkNmNi&ui_locales=en-US&mkt=en-US&state=q81i2V5Z572r5P2TuEfGYg0HZLgy9vMW3HMxjfeMMm60rJIlPgKe4SKR8D86gIjkNlgD6cd8jK754mEWDiHZtRQ1pzeGpqaVJOCkSmAUGOWUcOxbKCr2sPnoBds6H7fZCJdLqcotpA2NF3vvVbRDSSWk3xhQuxnXOoJoN2pj0RhiR97YEUkUwqEEsCoboffTLGgVrjaDy_ASgmhE_7mkvYE6YsXicgxoEzDqhrjxB_vFcTt_u7o1rrAYcWIv-0vZ4vPVToJ7Nwqlf6BHPz7zPQ
- [URL] https://snaitechbumxzzwt.barwonbluff.com.au/bumxzzwt/[email protected]
Read more: https://unit42.paloaltonetworks.com/domain-shadowing/