<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p>In cybersecurity, domain hosting isn’t the only thing we need to look at. When we dig deeper into where domains are accessed from, we can uncover some really interesting stuff. By looking where these domains are coming from, we can start to piece together patterns of malicious activity and even link domains to cybercrime operations.</p> <!--more--> <p>This post summarizes findings from a recent geolocation analysis of suspicious domains, highlighting overlaps with sanctioned countries, signs of Domain Generation Algorithm (DGA) activity, and potential connections to well-known cyber campaigns such as <i>Operation Triangulation</i>.</p> <p><strong>DNS Lookup Geolocation: Analyzing Origin Instead of Destination</strong></p> <p>DNS queries are often the earliest signals of malicious intent, revealing where domains are being accessed from rather than simply where they are hosted. This perspective can be invaluable for identifying:</p> <ol> <li><strong>Regional Targeting Patterns</strong>: Domains with consistent lookup activity from specific regions may indicate a targeted attack or phishing campaign aimed at users in those areas.<br><br></li> <li><strong>Compromised Infrastructure</strong>: Lookups from unexpected locations can suggest the presence of infected devices.<br><br></li> <li><strong>Nation-State Involvement</strong>: Domains accessed from sanctioned or politically sensitive regions could be linked to nation-state cyber operations.</li> </ol> <p>Let’s dive into the origins of DNS lookups. By doing so, we can uncover patterns that aid in campaign attribution, grasp adversarial movements, and predict potential escalations in cyber activity.</p> <p><strong>Revealing Patterns: Geographical Clustering of Malicious Domains</strong></p> <p>The geolocation analysis uncovered some interesting patterns of domain lookups, hinting at possible coordinated campaigns, botnet activity, or sneaky malicious networks. Here’s a breakdown of the most compelling patterns:</p> <ul> <li><strong>Domains Linked by St. Peter Port, Guernsey, and Tehran, Iran</strong><br>Several domains, such as <span>chicostara[.]com</span> and <span>suewyllie[.]com</span>, showed consistent lookup activity from both St. Peter Port and Tehran, Iran. This unusual pattern suggests a network of infected devices in these two separate locations. Both of these domains are associated with the <strong>Sality malware</strong>, a known threat for its ability to spread via infected files and establish resilient C2 infrastructure.<br><br></li> <li><strong>Phishing domains Spanning Brno, Czech Republic, and Virginia Beach, US</strong><br>Phishing domains such as soquartiner-w-o-u-r-k-u-pamper-4-4-4[.]xyz and bene.worx-promotions[.]com were searched from two different regions: Brno, Czech Republic, and Virginia Beach, US. This highlights the extent to which phishing campaigns can target victims across various locations.<br><br></li> <li><strong>Lumma Stealer Activity Across Chile and Peru</strong><br>Domains attributed to the <strong>Lumma Stealer</strong> malware: <span>milldymarskwom[.]shop</span>, <span>quotamkdsdqo[.]shop</span>, and <span>puredoffustow[.]shop </span>showed significant lookup activity from both Chile and Peru. Lumma Stealer is known for its capability to steal sensitive information from infected devices, and this geographic distribution may indicate a coordinated campaign to compromise users in these Latin American regions.</li> </ul> <p><strong>Operation Triangulation: A Coordinated Campaign in Russian Sanctioned Regions</strong></p> <p>A deeper dive into the data revealed a set of domains associated with <i>Operation Triangulation</i>. This operation is linked to domains frequently queried from multiple Russian cities, such as Volgograd, Izhevsk, and even parts of Ukraine. The following domains are implicated in this campaign:</p> <ul> <li>backuprabbit[.]com</li> <li>cloudsponcer[.]com</li> <li>snoweeanalytics[.]com</li> <li>topographyupdates[.]com</li> <li>unlimitedteacup[.]com</li> <li>virtuallaughing[.]com</li> </ul> <p><strong>Operation Triangulation</strong> appears to be orchestrated through a sophisticated network of command-and-control infrastructure spanning these regions. It utilizes DNS queries to manage botnets, distribute payloads, and coordinate attacks. The convergence of lookup sources within designated regions indicates that this campaign might be more extensive than merely targeting Kaspersky’s organization. While we anticipate infections primarily in Russia and Ukraine, it’s particularly interesting to discover infections attributed to this campaign in New York, USA, and London, GB, suggesting that infected devices have traveled outside the targeted region. While it’s plausible that the campaign is linked to research activities, the clustering of several domains within the same region aligns with the pattern of infected devices in Russia and Ukraine.</p> <p><strong>DGA Patterns in Expiro Botnet Domains</strong></p> <p>The analysis also highlighted a collection of <span>[.]biz</span> domains exhibiting patterns consistent with Domain Generation Algorithm (DGA) usage. The <strong>Expiro</strong> botnet is known to employ DGAs to generate multiple domains for its C2 communication, making it difficult for defenders to preemptively block its operations. The following domains were flagged:</p> <ul> <li>whjovd[.]biz</li> <li>uaafd[.]biz</li> <li>xccjj[.]biz</li> <li>hehckyov[.]biz</li> <li>reczwga[.]biz</li> <li>ywffr[.]biz</li> <li>muapr[.]biz</li> </ul> <p>These domains, along with others, show frequent lookup activity from locations in Karaj, Iran, and Moscow, Russia. The ability to automate domain creation using a DGA allows Expiro to evade static defenses and maintain persistence even when C2 domains are discovered and taken down.</p> <p><strong>Global Reach of Suspicious Domains: Beyond Sanctioned Locations</strong></p> <p>The analysis also revealed a surprisingly diverse set of regions involved in lookups for these domains, indicating the presence of compromised devices, proxy networks, or malicious infrastructure in various parts of the world. Here are a few notable examples:</p> <ul> <li><strong>Small-Town America as a Hotspot</strong><br>Domains like <span>dreamwavelogix[.]com</span> and <span>pitbullterrierpuppieshome[.]com</span> were consistently looked up from small towns in Illinois and Indiana. This unusual pattern suggests that local networks in these areas may have been compromised.<span>&nbsp; </span>While these domains are phishing domains, the consistent and repeated lookup pattern is odd.<span>&nbsp; </span>Researchers? Sandboxes?<span>&nbsp; </span>People consistently clicking malicious links?<br><br></li> <li><strong>Emerging Cybercrime Hubs in Africa and Latin America</strong><br>Domains linked to the Expiro botnet were frequently looked up from Nairobi, Kenya, and Ouagadougou, Burkina Faso, as well as Cuenca, Ecuador. This gives us strong indication that multiple infections are present in these countries specifically.</li> </ul> <p><strong>Actionable Insights: Using Geolocation Data to Enhance Defense</strong></p> <p>The geolocation insights from this analysis reveal several strategies that security teams can employ to bolster their defenses:</p> <ol> <li><strong>Geolocation-Based Blocking</strong><br>Implementing geolocation-based filtering for high-risk regions, such as sanctioned countries, can significantly reduce the attack surface.<br><br></li> <li><strong>Prioritizing Alerts for Sanctioned Country Traffic</strong><br>DNS lookups from sanctioned regions should be flagged for higher scrutiny, as they may indicate targeted attacks or command-and-control communication.<br><br></li> <li><strong>Integrating DGA Detection</strong><br>Building DGA detection into DNS monitoring, like our <a href="/dns-defense-cloud" rel="noopener" target="_blank">Protective DNS solution</a>, can help identify infections like Expiro, which rely on automated domain generation for their resilience.<br><br></li> <li><strong>Identifying Compromised Local Networks</strong><br>Anomalous lookups from unexpected regions, such as rural areas in the U.S. or less monitored regions in Africa and Latin America, should trigger an investigation into potential compromised networks or relay nodes.</li> </ol> <p><strong>Conclusion</strong></p> <p>By analyzing where domains are being looked up from—rather than just where they’re hosted—we gain a new perspective on cyber threats. Geolocation analysis, combined with insights into sanctioned regions and campaigns like <a href="https://arstechnica.com/security/2023/12/exploit-used-in-mass-iphone-infection-campaign-targeted-secret-hardware-feature/"><span>Operation Triangulation</span></a> and the <strong>Expiro botnet</strong>, helps uncover hidden patterns and highlight potential connections to nation-state actors or criminal organizations. Understanding these patterns empowers security teams to strengthen defenses and proactively respond to emerging threats.</p> <p>At ThreatSTOP, we integrate geolocation insights into our comprehensive DNS protection services, helping organizations detect and block malicious activity no matter where it originates. To learn more about how we can help your organization stay secure, visit our <a href="https://www.threatstop.com/threatstop-platform"><span>Threat Intelligence Solutions</span></a> page.</p> <p><strong>Connect with Customers, Disconnect from Risks.</strong></p></span>