Dynamic DNS services are oftentimes used for legitimate purposes - until they're not. These services allow a domain name to point to 'moving' resources on the Internet that changes their public IP address at varying intervals. A small business may use a DynDNS service legitimately for network management due to DHCP, yet many threat actors abuse dynamic DNS to mask their activity, identity, and physical location.

Our team came across Mooo[.]com while researching the infrastructure of an attack campaign by APT-C-59, a Chinese cyber gang that surfaced in 2020 (also dubbed Wuqiongdong). One of the attack domains, hao.360.mooo[.]com, led us to research the dynamic DNS service FreeDNS as a platform used for malware distribution.

mooo-otx-1Image: AlienVault OTX

Providing domain hosting, as well as static and dynamic DNS services for free - FreeDNS is a classic example of a service that your neighbor's teen will use to kick off their online hat store, and cyber criminals will use to host infection sites and C2's for malware. All four FreeDNS afraid[.]org nameservers related to Mooo[.]com are also known for malicious activity on VirusTotal.

If your business' daily activity relies on viewing a variety of esoteric small business websites, it may not be worthwhile for you to block fishy, free dynamic DNS services, even if the price is being much more vulnerable to a malware or ransomware attack. But if your employees aren't supposed to be constantly scouring the web for unofficial websites like peel[.]mooo[.]com or bbqsauce[.]mooo[.]com, we definitely recommend blocking services like this one as a whole. Our team recently reviewed the free Dynamic DNS service DuckDNS, which serves as another example of dynamic DNS hosting a ton of badness, and very little critical web destinations (if any).

Another important lesson to learn from the comprehensive use of dynamic DNS today is that it's not enough to block cyber attacker infrastructure IPs. Blocking the IP provides only momentary protection, quickly becoming obsolete when the domain changes locations. With ThreatSTOP Protective DNS, users are protected at the domain level. No matter which IP hao.360.mooo[.]com (or any other malicious  dynamic domain) resolves to - ThreatSTOP has you covered.


Ready to try ThreatSTOP in your network? Want an expert-led demo to see how it works?