Summary:
Silent Push has been investigating the FUNULL content delivery network for two years, uncovering a vast malicious domain cluster linked to various cybercriminal activities. Their findings reveal over 200,000 hostnames generated by a domain generation algorithm, with numerous suspicious indicators and artifacts identified. The research highlights the importance of monitoring such networks for threat detection and response.
#CyberThreats #DomainGenerationAlgorithm #MaliciousIndicators
Silent Push has been investigating the FUNULL content delivery network for two years, uncovering a vast malicious domain cluster linked to various cybercriminal activities. Their findings reveal over 200,000 hostnames generated by a domain generation algorithm, with numerous suspicious indicators and artifacts identified. The research highlights the importance of monitoring such networks for threat detection and response.
#CyberThreats #DomainGenerationAlgorithm #MaliciousIndicators
Keypoints:
- Silent Push has monitored the FUNULL CDN for two years, linking it to various cybercriminal campaigns.
- FUNULL hosts over 200,000 hostnames, 95% generated by a domain generation algorithm called βTriad Nexus.β
- 21 subdomains and 42 domains were identified as suspicious indicators.
- The analysis revealed 113 email-connected domains and 33 IP addresses, with four being malicious.
- 274 IP-connected domains were found, with one associated with threats.
- 11,428 string-connected subdomains were identified, with 16 being malicious.
- Suspicious domains were registered between 2002 and 2024, with a significant number being newly registered.
- Most suspicious domains were registered in Malaysia and the U.S.
- Threat Intelligence API queries indicated that four of the 33 IP addresses were linked to various threats.
- Historical data showed that the domain polyfill[.]io resolved to over 100 IP addresses since 2019.
MITRE Techniques
- Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
- Domain Generation Algorithm (T1483): Employs algorithms to create a large number of domain names for use in command and control communications.
- Phishing (T1566): Engages in deceptive practices to trick users into revealing sensitive information or downloading malware.
- Malware Distribution (T1070): Distributes malicious software through various means, including compromised networks and domains.
IoC:
- [domain] polyfill[.]io
- [domain] valentinogtm[.]com
- [ip address] 76.223.67.189
- [email] [email protected]
- [email] [email protected]
- [email] [email protected]
- [email] [email protected]
Full Research: https://circleid.com/posts/a-dns-deep-dive-into-funulls-triad-nexus