Tens of thousands of illegally established subdomains used by criminals involved with the RIG Exploit Kit were recently taken down after an investigation revealed that hackers were phishing domain account credentials to set up these subdomains.
Most of the subdomains used GoDaddy as the primary domain registrar. GoDaddy, in conjunction with research done by RSA Security and a handful of other security companies and independent researchers, was able to shut down the subdomains in May along with hundreds of IP addresses used as malware landing pages. The technique of creating subdomains with stolen credentials is known as domain shadowing.
It’s unknown how big of a dent the takedowns put into the RIG Exploit Kit operations—as well as malvertising and spam campaigns swept up in the takedown—without full visibility into its infrastructure, RSA Security said. RIG is the most prevalent exploit kit in circulation after a devastating 2016 for these types of criminal enterprises brought a number of arrests that shut down Angler and other profitable operations.
RSA Security published a report today describing this aspect of the RIG operation. Alex Cox, director of RSA’s FirstWatch Global research team, said the criminals were likely using information-stealing malware as part of a phishing campaign that targeted GoDaddy credentials Once the attackers had access to a victim’s account, they could add new subdomains to use as gates in attacks in order to redirect victims to IP addresses—most of them in Eastern Europe—hosting the exploit kit.
Cox said that an investigation into exploit kit activity rendered patterns in the way URLs were presented to the test machines being attacked. RSA researchers were able to map domains to registrars and discovered that a good number of them were registered with GoDaddy, a RSA partner.
Cox said 40,000 network subdomains were involved and 2,000 IP addresses, all related to RIG activity. Four campaigns surfaced between February and March, two of them using domain shadowing, and spreading Cerber ransomware and Dreambot banking malware among their payloads.
RSA said that GoDaddy was able to kill all 40,000 domains at once in late March and the researchers helped build some automation that would help monitor and detect any similar domain shadowing activity going forward.
“This was a coordinated phishing campaign where they were phishing for GoDaddy credentials,” Cox said, adding that it’s likely other registrars could be similarly involved. Domain shadowing is ingenious in that attackers understand that once someone registers a domain, it’s unlikely they’re going to give a second thought to their original DNS settings and other configuration information. “We were seeing hundreds of changes a day, so there was some automation involved.”
Shadow domains were kept alive 24 hours on average and DNS records were cleaned up before new shadow domains were created, RSA said. The technique, meanwhile, neatly bypasses content filtering, Cox said.
“In a modern corporation, if I’m running good.com and the content filtering proxy says all’s good and this is the right website, if someone hangs a bad domain off it, it will bypass content filtering in a simple way.
“We see this often with criminals being adept at tracking how security technology is working and how we’re defending networks, and then building creative ways to get around that.”