Prolific Puma is a DNS threat actor that has operated unnoticed for over four years, primarily focusing on domain generation and link shortening services for malicious activities. This underground network creates a vast number of domains using an RDGA to support phishing, scams, and malware distribution. The findings reveal the challenges in controlling DNS abuse and highlight the innovative strategies used by such cybercriminals to evade detection.
Affected: DNS threat actors, cybercrime supply chain, domain registration services
Affected: DNS threat actors, cybercrime supply chain, domain registration services
Keypoints :
- Prolific Puma has been active for at least four years, generating domains daily.
- Estimated worth of the cybercrime economy is trillion in 2023.
- Prolific Puma uses a registered domain generation algorithm (RDGA) for domain creation.
- The group provides link shortening services for other cybercriminals to distribute phishing and malware.
- Analytical methods for DNS detection have successfully identified and tracked Prolific Pumaβs activities.
- Registered domains are primarily associated with the us top-level domain (usTLD), despite specific country restrictions.
- Prolific Puma employs strategic aging of domains to evade traditional security measures.
- Evidence suggests Prolific Puma may be operating as a service provider for other malicious actors.
MITRE Techniques :
- Defense Evasion (T1560): Prolific Puma uses link shortening services to disguise phishing attempts.
- Credential Dumping (T1003): Delivery of browser plugin malware to capture sensitive information from victims.
- Phishing (T1566): Includes techniques for crafting deceptive emails leading to phishing sites through shortened URLs.
Indicator of Compromise :
- [Domain] hygmi[.]com
- [Domain] 0cq[.]us
- [Domain] ksaguna[.]com
- [IP Address] 45[.]32[.]147[.]158
- [Email Address] blackpumaoct33@ukr[.]net