Threat Research

TLD Tracker: Discovering Newly Released Top-Level Domains

Unit42

The article analyzes 19 newly released TLDs and how adversaries exploit them for phishing, distribution of unwanted programs, torrenting, and related activities, using graph-based detection to map campaigns. It highlights TLD rollout phases and stresses proactive monitoring to mitigate emerging risks from new TLDs. #Worldfree4u #ChotoXYZ #Unit42

Keypoints

  • 19 new TLDs released in the past year have been linked to large-scale phishing and other malicious activities.
  • Over 1,000 generic TLDs exist, with new ones being added annually, increasing the potential for abuse.
  • New TLDs can resemble popular file extensions, making them attractive for cybercriminals.
  • Palo Alto Networks offers security solutions to protect against threats associated with these TLDs.
  • The rollout of new TLDs involves several phases, including a mandatory sunrise period to protect trademark holders.
  • Graph-based detection systems are used to track and analyze malicious activities associated with new TLDs.
  • Case studies reveal various campaigns, including phishing, chat bot services, and torrenting operations.

MITRE Techniques

  • [T1566] Phishing โ€“ Brief description of how it was used. โ€œUsed domains under new TLDs to conduct phishing attacks.โ€
  • [T1483] Domain Generation Algorithms โ€“ Brief description of how it was used. โ€œMalicious actors registered domains under newly available TLDs to evade detection.โ€
  • [T1203] Exploitation for Client Execution โ€“ Brief description of how it was used. โ€œUtilized domains resembling file extensions for distributing malicious content.โ€
  • [T1003] Credential Dumping โ€“ Brief description of how it was used. โ€œPhishing campaigns aimed at harvesting credentials through deceptive domains.โ€
  • [T1071] Command and Control โ€“ Brief description of how it was used. โ€œDomains used for redirecting traffic to malicious sites for command and control operations.โ€

Indicators of Compromise

  • [Domains] Related domains observed in campaigns โ€“ akira.bot, amsterdam.bot, and other domains
  • [URL Paths] URL paths used in campaigns โ€“ choto.click/vx/, harriet.php, and other URL paths

Read more: https://unit42.paloaltonetworks.com/tracking-newly-released-top-level-domains/