Uncovering Malicious Infrastructure with DNS Pivoting

The article demonstrates using the Validin DNS analysis tool to perform DNS pivoting — extracting domain history, IP histories, and related domains to expose malicious infrastructure. Examples show pivots from domains to IPs, IP-to-domain pivots, lookalike-domain discovery, CIDR/ASN expansion, and validation via VirusTotal to link activity to malware such as LokiBot, Bagle, Xworm, and Remcos. #Validin #LokiBot #Bagle #Xworm #Remcos #CloudFlare #duckdns

Keypoints

Validin can retrieve full DNS history for a domain (current and past IPs), revealing infrastructure churn and short-lived hosting used by actors.
Pivoting from a domain to its historical IPs then pivoting those IPs to related domains uncovers additional malicious or lookalike domains on the same servers.
Lookalike-domain searches identify typosquats (e.g., using “l” instead of “I”) en masse, enabling discovery of many impersonating domains from a single seed.
Investigating ASN/CIDR ranges tied to an IP reveals large sets of domains (including dynamic DNS names) that may belong to the same actor or hosting provider.
Validin visualizations (timelines, ASN/cloud indicators) help spot when actors begin using services like CloudFlare or migrate infrastructure.
Cross-checking domains and IPs in VirusTotal exposed associated malicious files and detections (e.g., Bagle and Remcos) that link domains to malware C2s.
Dynamic DNS providers (duckdns, ddns) are commonly used in the observed infrastructure, and many domains resolved to the same ASN/IP ranges.

MITRE Techniques

[T1583] Acquire Infrastructure – Use of domains and dynamic DNS to host malicious infrastructure; “The primary concept of DNS pivots is simple, use the DNS history and domain names to identify patterns and related indicators…”
[T1071.004] Application Layer Protocol: DNS – Leveraging DNS resolution history and records to map infrastructure and relationships; “Identifying domains that resolve to the same IP” and using DNS history to track changes.
[T1584] Compromise Infrastructure (Infrastructure Sharing) – Observed overlap of different malware (LokiBot, Bagle, Remcos) on shared IPs/ASN suggesting shared or reused infrastructure; “This could be an indicator that the actors behind Lokibot and Bagle are sharing the same infrastructure…”
[T1598] Phishing via Domain Impersonation (Typosquatting) – Creation/use of lookalike domains impersonating services (e.g., using ‘l’ instead of ‘I’); “Four of these results seem to be impersonating Icloud services (Using L instead of I).”
[T1090.002] Proxy: External Proxy – Use of CloudFlare to mask origin IPs and proxy traffic, detected via ASN/cloud indicator; “the actor behind this domain began to use CloudFlare as of 2024-03-19”
[T1046] Network Service Scanning / Discovery (ASN/CIDR expansion) – Expanding searches across ASN/CIDR ranges to enumerate additional domains and infrastructure; “We can expand the search to query this range, which reveals 1468 domains with IP addresses resolving to the ASN.”

Indicators of Compromise

[Domain] reported malicious or lookalike domains – sempersim[.]su, lcloud[.]com[.]de (and many others like lcloud[.]com[.]se, elastolut.duckdns[.]org)
[IP address] IPs linked to domains and used for pivots – 104.237.252[.]28, 194.147.140[.]138 (and other IPs shown in domain histories)
[Dynamic DNS] Dynamic DNS domains used by actors – marxrwo9090.duckdns[.]org, febxworm39090.duckdns[.]org (examples among 464 duckdns domains in the ASN)
[Malicious files / detections] Files observed communicating with domains/IPs – Remcos-associated communicating files and multiple files “related to the ‘Bagle Worm’” (Virustotal evidence)

Rewritten technical procedure (focused)

Begin DNS pivoting by querying a domain in Validin to retrieve its full DNS history and associated IP addresses. Inspect the timeline to identify short-lived versus persistent IPs; frequent changes often indicate an actor rotating infrastructure after takedowns or intelligence sharing. From a chosen historical IP, pivot to view all domains that have resolved to that address—this uncovers co-hosted or related domains that might be malicious or impersonating services.

Use Validin’s lookalike-domain search on a suspicious domain (for example one that uses a visual substitution like “l” for “I”) to enumerate typosquats and similarly-named domains; then pivot each result to collect their IP histories. Expand analysis by querying the ASN or CIDR range for the hosting IP to locate many additional domains hosted by the same provider (useful for finding clusters of dynamic DNS names such as duckdns/ddns). Visual indicators (ASN/cloud icons) reveal when actors begin using proxies like CloudFlare.

Validate findings with external tooling (VirusTotal is shown) to check for detections and malicious communicating files tied to discovered domains/IPs; correlated detections (e.g., LokiBot, Bagle, Remcos) can indicate shared infrastructure or overlapping actor activity. This workflow—domain → IP history → IP → related domains → lookalikes → ASN/CIDR expansion, with cross-validation in threat intel platforms—efficiently maps malicious infrastructure using DNS artifacts.