Palo Alto Networks describes a proactive detector that spots potentially malicious newly observed domains (NODs) by ingesting WHOIS data, DNS traffic, and passive DNS signals, enabling earlier detection of abuse as domains become active. The system analyzes millions of NODs daily, demonstrating rapid lead times (average 4.79 days earlier than VirusTotal) and identifying various threats such as C2, phishing, and levelsquatting, while expanding visibility beyond NRDs to aged domains.
#NewlyObservedDomains #DNSSecurity #Phishing #Levelsquatting #AppleInc #IntesaSanpaolo #payment-downlaods.ga #asuna-sao.us
#NewlyObservedDomains #DNSSecurity #Phishing #Levelsquatting #AppleInc #IntesaSanpaolo #payment-downlaods.ga #asuna-sao.us
Keypoints
- New proactive detectors ingest newly observed domains (NODs) using WHOIS, DNS traffic, and ML models to flag potential threats.
- The system processes ~2.6 million NODs daily and identifies about 2,323 potentially malicious NODs per day.
- Compared with VirusTotal, 33.08% of detected NODs are later labeled malicious, and the detector discovers them on average 4.79 days earlier.
- Beyond NRDs, the detector analyzes aged domains and TLDs with restricted WHOIS data, improving visibility into emerging threats.
- Indicators include C2 domains, phishing domains, grayware domains, and patterns like DGAs and levelsquatting observed in DNS traffic.
- Blocking and protection are extended to other Palo Alto Networks services (URL Filtering, WildFire) once a domain is flagged.
- Concrete examples include payment-downlaods.ga (C2), asuna-sao.us (phishing), and various grayware domains.
MITRE Techniques
- [T1071.004] DNS – Observed DNS traffic is analyzed to identify suspicious behaviors as domains start carrying traffic. ‘the detector analyzes the DNS traffic of NODs to capture any suspicious behaviors.’
- [T1566.002] Phishing: Spearphishing Link – Phishing domains mimic real services (e.g., a major international bank) to steal credentials. ‘The phishing domain mimicking a major international banking group based in Italy… The phishing website copied the text from the official site but with fake contact information.’
- [T1036] Masquerading – Levelsquatting hostnames masquerading as a legitimate brand to mislead users. ‘levelsquatting hostnames masquerading as Apple Inc and labeled the domain as dangerous.’
- [T1583] Acquire Infrastructure – Domains – The attacker infrastructure includes malicious domains used for hosting C2/spyware and other abuse. ‘payment-downlaods[.]ga served Android Package Kit (APK) spyware that attempted to steal private information…’
Indicators of Compromise
- [Domain] C2 Domain – payment-downlaods.ga
- [Domain] Phishing Domains – asuna-sao.us, intesa-sanpaola.ml, zellesupport.info
- [Domain] Grayware Domains – bakbitionb.com, bsdybwo.tk, bwafduj.tk, createruler.com, jxc786.com, twtyowq.tk
- [SHA256] Hash – e9ad04ae0201307e061cdae350c392a6b4537876991b2c97857ea71086fa0496
Read more: https://unit42.paloaltonetworks.com/malicious-newly-observed-domains/