Diggin Deep into Newly Created Domains

thank you very much so over this presentation I'll be looking over how I analyze newly domains that's been created within a week in December last year so a bit before that bit about Who I am I study at University of Westminster and after I graduated I did a little bit of freelance work and they'll be of contracting work before I ended up a kinetic as a sake analyst just a disclaimer all opinions in this presentation on my own and don't reflect any of my company so I work as a stock analyst which is 24/7 we have external clients and it's all seen monitoring the reason why I did this analysis is to understand a threat landscape it gives

us better context or what's actually happening out there it also allows us to be proactive within our defense it's staying one step ahead of the game and stopping the bad guys helping us stop the bad guys before they even have a chance to act it's great for this analysis greatful kite finding correlation between trends and try and spot some malicious campaigns out there as they're being created the limitations that I've added to it was it's all passive and open source intelligence so it means no banner grabbing no direct contact or connection and it's all to preserve operational security so we don't to expose attribution back to our own organizations the data that I've been working with is from who is the

Escom which is basically a text document of all newly created domains within a single day it's free it is free for about seven days in the past the licensing allows us to use that in a corporate environment as well there are other places you can go to as well that has better data but we'll stick to this one in my analysis so the first step we need to do is to collect all that data and to a file that's easily something that can be easily queried and analyzed so after putting it all into a database we able to look at some of the common activities within a malicious domain names so you have a brand jacking where

they use well-known brands to try and get people to click on their website doppelgangers which look exactly the same as the means that are already out there by removing the dot from the host or subdomain you also have typosquatting so you have like Apple calm but they might miss the e with fat fingers and press R instead sits on my registered that and that relies on the end users mistakes now one of the most interesting ways is homograph attacks which is peeny codes within the URL for international though for sorry internationalized domain names so two for this attack you have to have the xn - - prefix to tell the browser that is an IDE and as from

this example the xn - - a tak so on so forth if you put into a browser that is configured for ID ends it actually appears as Apple calm and the reason why is you have none Roman alphabets which are all based on ascii so a go back the greek latin and cyrillic oh all look the same but they all have different codes so under 27th of December we there was 881 domains with the XM - - which are all ASCII compatible encoding unless so other things there needs to do after looking all the fishing sites is to gather all the domain names and look at how many were created in the top-level domain on each

day and looking at it it's difficult for the humans to read so we need to organize it and display it in a way that humans can easily interpret so from this we can already see that dot info was the dot lame sorry was very quiet and so until the 31st so it was a few hundred until I got to 53,000 on that single day so that was clearly a campaign going on so like I said we need to organize it so it's easier to look for trends if we go back in the data we can see that on the first year it looks like there's a little erroneous data as well where it just wasn't recording the newly created

domains so after doing all that we look for piece in activity so by putting it into a graph which are normalized so that all data is between the range of 0 and 1 it's easier for us to see ky peaks with domains that could be linked so looking at this I saw that there might be something going on with the dot vote top-level domain so after digging a little bit into it what I found was a load of domain names that were sorry that were named after American University sports teams and there were several hundreds of those and each of them were to get a domain in that it cost $39 99 and while it was on sale so

estimated the amount of investment that this person had to put in it would have been twelve thousand dollars so it could be that he's intended intending to squattin these domains and sell them to the universe teams or from my perspective it was more of a phishing campaign targeted at these universities by looking into the person behind her it was a person called jake hoffman and but looking deeper into him while using some open source intelligence we can see he was an Arizona Queen Creek councilman he does own a digital communications company so it could be a legit could be him legitimately buying these domains to sell to these American universities but after digging deeper into men finding

more email addresses associated with him I put him through how about being pwned and we do see that he has been compromised so we see BTB USA business and Linkedin where his physical address email addresses passwords employers job titles phone numbers all of these have been leaked so it could be that a actor has taken these bits of information and used them to register these domains within his name other things that we can find within domain names are DJ's which are the main generated algorithms they act as a CNC rendezvous point for malware so as a brief overview a malware will use pseudo random generation to create a domain name and the threat actor would

gen would register these domain names so the malware then reach out to it and then reach back up to the CNC server reason they do that is if they directly go to a CNC server you can block off access to it through the firewall but having several different domains means if you could block off one then it would generate another one go to it go back and then so on and so forth allowing more persistence within your network one way that I was able to group these domain generated algorithms names together was that there always a set length that's the way that the algorithm outputted it so we can see the dot party there were many domain names on the with

character lengths 1718 which show but look by verifying the data always see that there were BGA's as well going back into more of the Whois we could see different personas as well that people could take a lot of them were Chinese personas but they possibly can might not be Chinese as it's very easy to fake a persona online things that you can do to grieve them together is reverse few is which helps find all domains general registered within from that person so looking into it taking a sample of 20 from one domain every 2700 domains you see one rigid for years which is alibaba.com we three I saw three identical identities use Allen turn Li Xiaolong

and Kim magician all of them were based in Singapore two of them were in the city of ginger powe one city of Singapore and two with phone numbers from Singapore and one with a phone number registered with China looking into the names Allen turn is a famous Singaporean actor though other people could take his name Lygia along is the native name of the famous martial artist and actor Bruce Lee and Kings usually is possibly a researcher with India Philip Duke University Medical Center in the u.s. so a lot of people will try and just take other people's names because making up names can be quite difficult so what we need to do next is just continually improve and

research this we're still working in-house to get make it more solid so that we can definitely say that these domains are malicious other things that limitations on Nexus due to GDP are who is is becoming less effective because it no longer shares email addresses physical addresses of the registrants so we can now instead we try and pivoting more on SSL certificates through census main service as well so and also the Registrar used so we saw a registrar service like in Jolla it's a privacy based service so it does all the transactions within Bitcoin it try and keeps everything private so we can say that people who uses that use that or not well that can be a little

bit malicious so one thing we did see was a national a state actor using that register service and thank you very much [Applause]