Threat Research

DNS Deep Dive: Peeking into Back Doors to Abandoned but Live Backdoors

CircleID
DNS Deep Dive: Peeking into Back Doors to Abandoned but Live Backdoors

WatchTowr Labs identified numerous backdoors on compromised sites and analyzed their data theft implications, finding 34 domains acted as indicators of compromise. Further research expanded the list to include multiple email-connected domains, malicious IP addresses, and string-connected domains. Affected: domains, email addresses, IP addresses

Keypoints :

  • WatchTowr Labs investigated backdoors on compromised sites to assess data theft.
  • 34 domains were initially identified as indicators of compromise (IoCs).
  • The WhoisXML API team expanded this list with additional findings, including 498 email-connected domains and 10 IP addresses, 8 of which were malicious.
  • Total identified artifacts included 192 IP-connected domains and 666 string-connected domains.
  • 34 domains had current WHOIS records, primarily administered by Stichting Registrar of Last Resort Foundation and Amazon.
  • Most of the IoC domains were created in 2024, with a range from 1999 to 2012.
  • Investigators identified 168 historical email addresses linked to the 34 IoC domains, with 65 being public.
  • Subsequent queries revealed 32 of the IoC domains resolved to 10 unique IP addresses, of which 8 were already weaponized.
  • A report offers complete findings and additional downloadable artifacts.
  • A disclaimer emphasizes the need for further investigation into identified threats.

MITRE Techniques :

  • T1071.001 – Application Layer Protocol: Use of web protocols for command and control.
  • T1566 – Phishing: Targeting user credentials through email impersonation tactics.
  • T1553 – Subvert Trust Controls: Manipulating domain registrations to disguise malicious infrastructure.
  • T1070 – Indicator Removal on Host: Attempts to hide backdoor activity by obscuring artifacts.
  • T1598.003 – Phishing: Use of domains designed to trick users into revealing sensitive information.

Indicator of Compromise :

  • [Domain] csthis[.]com
  • [Domain] h4cks[.]in
  • [Domain] imhabirligi[.]com
  • [Domain] odayexp[.]com
  • [Domain] w2img[.]com

Full Story: https://circleid.com/posts/dns-deep-dive-peeking-into-back-doors-to-abandoned-but-live-backdoors

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint