tips tools reconnaissance

SecurityTrails Blog · Mar 31 · Nicolás Pence & The SecurityTrails Team

Finding Coronavirus Malicious Domain Names

Reading time: 11 minutes

The coronavirus outbreak (COVID-19) is arguably one of the most widely publicized events of the century. Information surrounding this pandemic has been incredibly spare, provoking a true “infodemic” through the spread of unhelpful related content like jokes, doubtful home prevention treatments and viral fake videos, along with useful and accurate information as well.

This health crisis has created an unfortunate window for several individuals and organized groups of malicious hackers to take advantage of the situation. These parties can send malware payloads within emailed message attachments and apps, or they can create specially crafted websites disguised as valid sources of information. This handily allows them to gain control over their objectives.

To address this issue, today’s post explores different investigation approaches used to detect and avoid suspicious domain names. This is a critical area, as domain names can be easily mistaken for benign and truthful sources of information, even when they’re the complete opposite.

Domain background

Why domain names? One might think there are easier ways to gain access to personal and IoT devices throughout the world wide web, and that is completely correct. However, we’re intent on chasing the odd cases, the ones that have been reported over the last few weeks, regarding APTs (Advanced Persistent Threats), which target specific victims.

Because victims need to be convinced of the legitimacy of the information source they’re consuming, attackers are actively registering domain names that include the word “coronavirus” within the domain name, or as a subdomain.

Newly registered domain listings

In order to grasp the size of this task, one needs to consider the amount of new domain names registered per day or per month. Quite simply, there’s a lot.

Frequently, attackers register new domain names (sometimes with fraudulent credit cards) that have no previous digital footprint, and use them to deceive their victims.

In the following example, we’re going to gather all the newly registered records that include the word “coronavirus” within the domain name, beginning with those registered on the first day of the current month (more information on this topic and service is covered in our article Newly Registered Domain Feeds). To get those new registries, we wrote the following script which shows how to perform a query using the SecurityTrails domain feeds API:

#!/bin/sh

SEARCH_PATTERN="coronavirus"
FROM_DATE="2020-02-01"  # Date Format YYYY-MM-DD
API_KEY="YOU_API_KEY"
URL="https://api.securitytrails.com/v1/feeds/domains/new?apikey=$API_KEY&date=$FROM_DATE&ns=true"

curl --silent  --output - $URL | gzip -d | grep -i  --color  $SEARCH_PATTERN

This will output something similar to this:

Newly registered domain listings

While this list can show some insight into the incredible amount of newly registered domains, it’s difficult to manually extract suspicious domains to check them individually.

Still, we are able to automate the process on finding newly registered domains and verify the information, as we’ll explain in the following sections.

Domain information

There are several domains out there which are newly registered but have no information whatsoever. Regarding searches of the name Coronavirus (or COVID19, in particular) these are new and trendy topics (despite the long existence of the Coronavirus name in academia). You can expect to find some very new related domain names.

There is, however, some legitimate information about this domain name, which we can find by performing a WHOIS lookup. Let’s check Start of Authority (SOA) DNS records and zoom in on the responsible zone administration’s email.

Taking this from idea to a working script, it could look like this:

#!/bin/sh  

SEARCH_PATTERN="coronavirus"
FROM_DATE="2020-03-22"  # Date Format YYYY-MM-DD
API_KEY="YOU_API_KEY"
URL="https://api.securitytrails.com/v1/feeds/domains/new?apikey=$API_KEY&date=$FROM_DATE"

# Get list list from SecurityTrails "newly registered domain names" feed
DNS_FEED=$(curl --silent --output - $URL | gzip -d | grep -i $SEARCH_PATTERN | cut -d\, -f 1)

for i in  $DNS_FEED
  do
    # For every domain name in the list,
    # extract the SOA record and retreive the Responsible Email
    RMAIL_SOA=$(dig $i soa +short | cut -d\ -f 2  | sed 's/\./@/'  | sed 's/.$//'  )
    if [[  -z  "$RMAIL_SOA"  ]]
      then
        # In case the record is EMPTY, print it so we can see it or parse it
        RMAIL_SOA="EMPTY"
      fi
  echo  "[Domain] => $i | [SOA Email] -> $RMAIL_SOA"
done

While this could be a way to detect inconsistencies, SOA records as well as (spoiler alert) WHOIS domain information are often filled with wrong, useless or obfuscated information. To find good hints on malicious web sites, this approach isn’t always as valuable as one might hope—but it’s still worth a try.

What about domain names?

Another way to get domains is by using the advanced search features on the SecurityTrails free app, from the following URL:

https://securitytrails.com/list/?query=keyword%20%3D%20%27coronavirus%27

(Keep in mind that in order to use the advanced search feature on the free app, you’ll first need to log in.)

Domain names

Matching information between working DNS records with the %coronavirus% word included within the domain name, and newly registered domain records, could give some insight into a fast-moving website that’s “ready to scam”.

Let’s learn how to do that:

First, grab all records of new domain name registrations related to the desired pattern (in this case, coronavirus), then search all domain names within some active domain’s listing service (e.g. SecurityTrails domain listing search), then identify which of them match.

To summarize, we’re going to grab these two listings and see which of them match, meaning they are actually being used by internet users:

  • New domain names via domain feeds (taken from above)
  • Domains obtained from passive DNS query listings

#!/bin/sh 

API_KEY="YOUR_API_KEY"
SEARCH_PATTERN="coronavirus"

curl \
  --silent  \
  --request POST \
  --header  "Content-Type: application/json"  \
  --header  "APIKEY: $API_KEY"  \
  --data-binary  "{
  \"query\" : \"domain LIKE '%$SEARCH_PATTERN%'\
"}"  \
'https://api.securitytrails.com/v1/search/list' | jq --raw-output  '.records | .[].hostname'

Matching these listings may yield surprising results. In our tests we got about three domain names that were newly registered and in use (present at domain lists), but once we found them they looked suspicious enough to take to the next level of analysis (more ideas on that below).

So are we done? No! We can try numerous different ways to gain leads, check all registered domains (not just the new ones), get A or CNAME records regarding those domain names, and check for anomalies in the related records (SOA MX TXT) or websites (sometimes these domains have very low interaction, so they don’t show up easily in domain listings).

What about subdomains?

Not all offensive techniques include the use of beautifully crafted domain names. Sometimes attackers use simple subdomains and include a related word that convinces victims they’re visiting a safe website.

Let’s change the “by domain name” query we used by just a little bit. We’ll tweak it to find only subdomains with the “coronavirus” word in it, disregarding the domain name in which it’s included.

The search pattern should look like this: %coronavirus%.any-domain-name.tld
(we place .tld to make a point, but any ccTLD or gTLD is completely valid).

The following script shows how we can accomplish this:

#!/bin/sh  

API_KEY="YOUR_API_KEY"
SEARCH_PATTERN="coronavirus"

curl \
  --silent  \
  --request POST \
  --header  "Content-Type: application/json"  \
  --header  "APIKEY: $API_KEY"  \
  --data-binary  "{
  \"query\" : \"subdomain LIKE '%$SEARCH_PATTERN%'\"
}"  \
'https://api.securitytrails.com/v1/search/list' | jq --raw-output  '.records | .[].hostname'

This is an extract (at the time of this writing) of the matching subdomains list. You’ll find some interesting names that may persuade us to investigate further:

Matching subdomains list

To extend these checks and go a little deeper, you could also do a comparison between the list of subdomains obtained in the newly registered subdomains feed and the ones obtained in the subdomain listing of records in use (passive DNS registry).

Check out the following section on how to obtain newly registered subdomains.

What about new subdomains?

We could dig a little further and create a special search for new subdomain feeds, in a similar fashion to our search for plain domain names. This might even be more interesting because we can find subdomains that include the desired search word in different parts of the domain name. As an example, cases like %coronavirus%.domain.tld can only be seen using this particular resource.

The API query should look like this:

#!/bin/sh

SEARCH_PATTERN="coronavirus"
FROM_DATE=$(date +"%Y-%m-%d")  # Date Format YYYY-MM-DD
API_KEY= "YOU_API_KEY"
URL="https://api.securitytrails.com/v1/feeds/subdomains/new?apikey=$API_KEY&date=$FROM_DATE&ns=true"

curl --silent  --output - $URL | gzip -d | grep -i  --color  $SEARCH_PATTERN

And the result, like this:

New subdomains

We also see some conspicuous subdomains involving a coronavirus-related domain name, which would otherwise remain undiscovered by our previous inquiry.

Matching subdomains

Once you have both listings, you can filter and check which ones were used, and by doing so identify potentially suspicious subdomains.

Domain name history

It’s possible that these domains have no history whatsoever, but we can check for it anyway, by using the SecurityTrails SurfaceBrowser™.

Domain name history

The result can provide additional information regarding ownership and configuration, including:

  • Actual and old registrars
  • Domain age (very interesting)
  • WHOIS timeline (nice visualization always helps!)
  • Previous ownerships
  • Presence or absence of private records

With this background check, you can gain a better understanding about the domain’s past and actual stance.

WHOIS information

As stated before, WHOIS records aren’t always the best source for data extraction. Sometimes records are obfuscated (to avoid sensitive information leaks), or possess non-useful information (having no utile value), or they’re just plain wrong (providing deceptive or inaccurate information).

Despite this, sometimes WHOIS can lead us to valuable historic records, which can shed a little light and invite us to investigate further.

Sometimes you’ll encounter this scenario:

Registry Registrant ID: REDACTED FOR PRIVACY
Registrant Name: REDACTED FOR PRIVACY
Registrant Organization: Private by Design, LLC
Registrant Street: REDACTED FOR PRIVACY
Registrant City: REDACTED FOR PRIVACY
Registrant State/Province: NC
Registrant Postal Code: REDACTED FOR PRIVACY
Registrant Country: US
Registrant Phone: REDACTED FOR PRIVACY
Registrant Phone Ext: REDACTED FOR PRIVACY
Registrant Fax: REDACTED FOR PRIVACY
Registrant Fax Ext: REDACTED FOR PRIVACY

But sometimes you’ll come up with good information, real addresses, real phone numbers, and even old and forgotten historic name servers which are, for our purposes, the most valuable records you can find.

Go beyond this analysis

So in the event you find a suspicious domain name, what’s next?

There are several online tools for you to use, allowing you to double-check the reputation of a given website and analyze it within a secure environment (sandbox). Techniques may include:

And the list goes on!

Once you get a lead, you can perform a deeper analysis to find out if you’re onto something truly malicious.

How to protect ourselves?

As always, the weakest link in the chain are the users. We can’t emphasize strongly enough the importance of educating people on taking a defensive approach when using the internet and all of its goodies.

Along with this dilligence, some companies are taking the initiative to avoid the abuse of any fake coronavirus-related online presence, through deceptive domain names, fake news, fake product listings, fake advertisements, etc.

As you’ve read in this article, it isn’t easy to find fraudulent domains that are deceiving people for access to their computer systems or network, or to steal their money and information.

Some domain registrars, like Namecheap, took matters into their own hands and started blocking the usage of potentially misleading words within the domain names that customers register, unless they have a justified reason for doing so.

Conclusion

Now you have some idea about the exhaustive work of finding leads on what domains are being used for, which can include:

You can also go forward with insights on automating your own scripts to get leads, and proactively protecting yourself and your infrastructure.

A useful set of IP intelligence data is crucial for this to work, to make this whole process more efficient and to lower the rate of false positives.

Remember that attackers use many different techniques to conquer their objectives. Automated protection systems is one of them (IDS/IPS, antivirus, etc), so you’ll want to rely on a skill set that includes the use of those tools.

And finally, sayings like “there are no silver bullets” and “security is a process, not a product” are more than just clichés. They’re words to live by!


Our API, Feeds and SurfaceBrowser™ are your perfect allies for performing cybercrime investigations, letting you find clues and critical data that will help you discover malicious activities by any bad actors. Contact our sales team and schedule a call today!