Keypoints
- Started from 15 ResumeLooters IoCs (seven domains, three subdomains, five IPs) provided by Group-IB.
- Bulk WHOIS and reverse WHOIS using a registrant name produced 302 registrant-connected domains; 77 remained accessible during checks.
- WHOIS history revealed four historical registrar emails; reverse WHOIS on two public emails returned 69 email-connected domains (27 with live pages).
- DNS lookups of the seven domain IoCs resolved to six additional IPs (Cloudflare-administered); all six were associated with phishing and other threats.
- Reverse IP lookups across 11 IPs (5 IoCs + 6 additional) found three IP-connected domains and indicated three dedicated IPs.
- String-based domain discovery returned 573 string-connected domains; two (8t[.]pm, 8t[.]wf) were flagged for malware activity.
- Two ResumeLooters subdomains (recruit[.]iimjobs[.]asia, recruiter[.]foundit[.]asia) appear to impersonate iimjobs[.]com and foundit[.]in (typosquatting indicators).
MITRE Techniques
- [T1566.002] Phishing – Infrastructure and domains were used for phishing campaigns: ‘All six IP addresses were associated with phishing.’
- [T1583.001] Acquire Infrastructure: Domain Names – Adversaries registered and used lookalike domains (e.g., iimjobs[.]asia, foundit[.]asia) to host malicious content or impersonate services: ‘recruit[.]iimjobs[.]asia and recruiter[.]foundit[.]asia—seemed to be impersonating legitimate job-hunting websites.’
- [T1589] Gather Victim Identity Information – WHOIS and WHOIS History queries were used to extract registrant and email details for pivoting: ‘A reverse WHOIS search using the registrant name as input provided us with 302 connected domains.’
- [T1592] Gather Victim Network Information – DNS and reverse IP lookups uncovered additional hosts and mapped network ownership (Cloudflare administration): ‘DNS lookups for the seven domain IoCs … resolved to six additional IP addresses’ and ‘administered by Cloudflare, Inc.’
- [T1036] Masquerading – Typosquatting and subdomain impersonation were used to mimic legitimate job sites and lure victims: ‘iimjobs[.]asia and foundit[.]asia … seemed to be impersonating legitimate job-hunting websites.’
- [T1105] Ingress Tool Transfer – Domains associated with malware (e.g., 8t[.]pm and 8t[.]wf) indicate hosting or delivery points for malicious payloads: ‘…8t[.]pm and 8t[.]wf—were associated with malware attacks.’
Indicators of Compromise
- [Domain] initial IoCs and samples – 8t[.]ae, iimjobs[.]asia (and six other domain IoCs not listed).
- [Subdomain] impersonation examples – recruit[.]iimjobs[.]asia, recruiter[.]foundit[.]asia (typosquatting/impersonation of iimjobs[.]com and foundit[.]in).
- [Domain – string-connected] discovered by string search – 8t[.]pm, 8t[.]wf, and 571 other string-connected domains.
- [IP addresses] IoC and expansion – five original IP IoCs (unspecified in article) and six additional IPs discovered via DNS (all Cloudflare-administered), plus three dedicated IPs found via reverse IP lookup.
- [Registrant/email] WHOIS-derived pivots – registrant name/organization for 8t[.]ae and four historical WHOIS emails (two public emails used for reverse WHOIS searches), and other connected registrant/email-linked domains.
Starting from Group-IB’s 15 IoCs, the analysts ran bulk WHOIS lookups on the seven domain IoCs to collect registrar, registrant, and creation-date metadata, revealing one domain (8t[.]ae) with public registrant name/organization. They ran reverse WHOIS on that registrant and obtained 302 registrant-connected domains (duplicates and IoCs filtered), checking accessibility with screenshot tools. WHOIS History supplied four historical emails from the IoCs; reverse WHOIS on two public emails returned 69 email-connected domains after filtering, with 27 hosting live pages.
Next, DNS resolution of the seven domain IoCs produced six additional IP addresses (all geolocated to the U.S. and administered by Cloudflare). Threat feeds flagged all six for phishing, with subsets associated with generic threats, malware, and suspicious activity. Combining the five original IP IoCs and these six hosts, reverse IP lookups identified three IP-connected domains and indicated three potentially dedicated IPs. A string-based Domains & Subdomains Discovery search for domain name fragments yielded 573 string-connected domains, two of which (8t[.]pm and 8t[.]wf) were classified as associated with malware.
Overall, the operational expansion steps—bulk WHOIS, reverse WHOIS, WHOIS History, DNS resolution, reverse IP lookup, and string-based domain discovery—produced 953 potentially connected web properties (302 registrant-connected domains, 69 email-connected domains, six additional IP addresses, three IP-connected domains, and 573 string-connected domains), with eight artifacts linked to phishing, malware, and other threats, and identified possible typosquatting of iimjobs[.]com and foundit[.]in via iimjobs[.]asia and foundit[.]asia.
Read more: https://circleid.com/posts/20240322-checking-out-the-dns-for-more-signs-of-resumelooters