1. Home
  2. Techniques
  3. Enterprise
  4. Acquire Infrastructure
  5. Domains

Acquire Infrastructure: Domains

ID Name
T1583.001 Domains
T1583.002 DNS Server
T1583.003 Virtual Private Server
T1583.004 Server
T1583.005 Botnet
T1583.006 Web Services
T1583.007 Serverless
T1583.008 Malvertising

Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.

Adversaries may use acquired domains for a variety of purposes, including for Phishing, Drive-by Compromise, and Command and Control.[1] Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).[2][3] Typosquatting may be used to aid in delivery of payloads via Drive-by Compromise. Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.[4][5][6][7][8]

Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims (including one-time, single use domain names).[9][10][11][12]

Adversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.[13][14][15][16]

Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.[17]

In addition to legitimately purchasing a domain, an adversary may register a new domain in a compromised environment. For example, in AWS environments, adversaries may leverage the Route53 domain service to register a domain and create hosted zones pointing to resources of the threat actor’s choosing.[18]

ID: T1583.001
Sub-technique of:  T1583
Tactic: Resource Development
Platforms: PRE
Contributors: Deloitte Threat Library Team; Menachem Goldstein; Nikola Kovac; Oleg Kolesnikov, Securonix; Vinayak Wadhwa, Lucideus; Wes Hurd
Version: 1.4
Created: 30 September 2020
Last Modified: 25 September 2024
Version Permalink

Procedure Examples

ID Name Description
G0006 APT1

APT1 has registered hundreds of domains for use in operations.[17]
G0007 APT28

APT28 registered domains imitating NATO, OSCE security websites, Caucasus information resources, and other organizations.[2][19][20]
G0050 APT32

APT32 has set up and operated websites to gather information and deliver malware.[21]
G1002 BITTER

BITTER has registered a variety of domains to host malicious payloads and for C2.[22]
C0010 C0010

For C0010, UNC3890 actors established domains that appeared to be legitimate services and entities, such as LinkedIn, Facebook, Office 365, and Pfizer.[23]
C0011 C0011

For C0011, Transparent Tribe registered domains likely designed to appear relevant to student targets in India.[24]
C0021 C0021

For C0021, the threat actors registered domains for use in C2.[25]
C0026 C0026

For C0026, the threat actors re-registered expired C2 domains previously used for ANDROMEDA malware.[26]
C0004 CostaRicto

For CostaRicto, the threat actors established domains, some of which appeared to spoof legitimate domains.[27]
G1012 CURIUM

CURIUM created domains to facilitate strategic website compromise and credential capture activities.[28]
S1111 DarkGate

DarkGate command and control includes hard-coded domains in the malware chosen to masquerade as legitimate services such as Akamai CDN or Amazon Web Services.[29]
G0035 Dragonfly

Dragonfly has registered domains for targeting intended victims.[30]
G1006 Earth Lusca

Earth Lusca has registered domains, intended to look like legitimate target domains, that have been used in watering hole attacks.[31]

G1011 EXOTIC LILY

EXOTIC LILY has registered domains to spoof targeted organizations by changing the top-level domain (TLD) to ".us", ".co" or ".biz".[32]
G0137 Ferocious Kitten

Ferocious Kitten has acquired domains imitating legitimate sites.[33]
G0046 FIN7

FIN7 has registered look-alike domains for use in phishing campaigns.[34]
C0007 FunnyDream

For FunnyDream, the threat actors registered a variety of domains.[35]
G0047 Gamaredon Group

Gamaredon Group has registered multiple domains to facilitate payload staging and C2.[36][37]
G1001 HEXANE

HEXANE has registered and operated domains for campaigns, often using a security or web technology theme or impersonating the targeted organization.[38][39][40]
G0136 IndigoZebra

IndigoZebra has established domains, some of which were designed to look like official government domains, for their operations.[41]
G0094 Kimsuky

Kimsuky has registered domains to spoof targeted organizations and trusted third parties including search engines, web platforms, and cryptocurrency exchanges.[42][43][44][45][46][47][48]
G0032 Lazarus Group

Lazarus Group has acquired domains related to their campaigns to act as distribution points and C2 channels.[49][50]
G0140 LazyScripter

LazyScripter has used dynamic DNS providers to create legitimate-looking subdomains for C2.[51]
G0065 Leviathan

Leviathan has established domains that impersonate legitimate entities to use for targeting efforts. [52][53]
G0059 Magic Hound

Magic Hound has registered fraudulent domains such as "mail-newyorker.com" and "news12.com.recover-session-service.site" to target specific victims with phishing attacks.[54]
G0045 menuPass

menuPass has registered malicious domains for use in intrusion campaigns.[55][56]
G1036 Moonstone Sleet

Moonstone Sleet registered domains to develop effective personas for fake companies used in phishing activity.[57]
G0129 Mustang Panda

Mustang Panda have acquired C2 domains prior to operations.[58][59][60]
C0022 Operation Dream Job

During Operation Dream Job, Lazarus Group registered a domain name identical to that of a compromised company as part of their BEC effort.[61]
C0016 Operation Dust Storm

For Operation Dust Storm, the threat actors established domains as part of their operational infrastructure.[62]
C0023 Operation Ghost

For Operation Ghost, APT29 registered domains for use in C2 including some crafted to appear as existing legitimate domains.[63]
C0006 Operation Honeybee

During Operation Honeybee, threat actors registered domains for C2.[64]
C0005 Operation Spalax

For Operation Spalax, the threat actors registered hundreds of domains using Duck DNS and DNS Exit.[65]
S1130 Raspberry Robin

Raspberry Robin uses newly-registered domains containing only a few characters for command and controll purposes, such as "v0[.]cx".[66]
G0034 Sandworm Team

Sandworm Team has registered domain names and created URLs that are often designed to mimic or spoof legitimate websites, such as email login pages, online file sharing and storage websites, and password reset pages, while also hosting these items on legitimate, compromised network infrastructure.[67][68]
G0122 Silent Librarian

Silent Librarian has acquired domains to establish credential harvesting pages, often spoofing the target organization and using free top level domains .TK, .ML, .GA, .CF, and .GQ.[69][70][71][72][73][74]
C0024 SolarWinds Compromise

For the SolarWinds Compromise, APT29 acquired C2 domains, sometimes through resellers.[75][76]
G1033 Star Blizzard

Star Blizzard has registered domains using randomized words and with names resembling legitimate organizations.[77][78]

G1018 TA2541

TA2541 has registered domains often containing the keywords "kimjoy," "h0pe," and "grace," using domain registrars including Netdorm and No-IP DDNS, and hosting providers including xTom GmbH and Danilenko, Artyom.[79][80]
G0092 TA505

TA505 has registered domains to impersonate services such as Dropbox to distribute malware.[81]
G0139 TeamTNT

TeamTNT has obtained domains to host their payloads.[82]
G0027 Threat Group-3390

Threat Group-3390 has registered domains for C2.[83]
G0134 Transparent Tribe

Transparent Tribe has registered domains to mimic file sharing, government, defense, and research websites for use in targeted campaigns.[84][85]
G0044 Winnti Group

Winnti Group has registered domains for C2 that mimicked sites of their intended targets.[86]
G1035 Winter Vivern

Winter Vivern registered domains mimicking other entities throughout various campaigns.[87]
G0128 ZIRCONIUM

ZIRCONIUM has purchased domains for use in targeted campaigns.[88]

Mitigations

ID Mitigation Description
M1056 Pre-compromise

Organizations may intentionally register similar domains to their own to deter adversaries from creating typosquatting domains. Other facets of this technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Detection

ID Data Source Data Component Detects
DS0038 Domain Name Active DNS

Monitor queried domain name system (DNS) registry data for purchased domains that can be used during targeting. Reputation/category-based detection may be difficult until the categorization is updated. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access and Command and Control.
Domain Registration

Domain registration information is, by design, captured in public registration logs. Consider use of services that may aid in tracking of newly acquired domains, such as WHOIS databases and/or passive DNS. In some cases it may be possible to pivot on known pieces of domain registration information to uncover other infrastructure purchased by the adversary. Consider monitoring for domains created with a similar structure to your own, including under a different TLD. Though various tools and services exist to track, query, and monitor domain name registration information, tracking across multiple DNS infrastructures can require multiple tools/services or more advanced analytics.[89] Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access and Command and Control.
Passive DNS

Monitor logged domain name system (DNS) data for purchased domains that can be used during targeting. Reputation/category-based detection may be difficult until the categorization is updated. Detection efforts may be focused on related stages of the adversary lifecycle, such as during Initial Access and Command and Control.

References

  1. CISA. (2020, September 14). Alert (AA20-258A): Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity. Retrieved October 1, 2020.
  2. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015.
  3. Bob Sullivan. (2000, July 24). PayPal alert! Beware the 'PaypaI' scam. Retrieved March 2, 2017.
  4. CISA. (2019, September 27). Security Tip (ST05-016): Understanding Internationalized Domain Names. Retrieved October 20, 2020.
  5. Malhotra, A., Thattil, J. et al. (2022, March 29). Transparent Tribe campaign uses new bespoke malware to target Indian government officials . Retrieved September 6, 2022.
  6. Malhotra, A., McKay, K. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal . Retrieved July 29, 2022.
  7. RISKIQ. (2022, March 15). RiskIQ Threat Intelligence Roundup: Campaigns Targeting Ukraine and Global Malware Infrastructure. Retrieved July 29, 2022.
  8. RISKIQ. (2017, December 20). Mining Insights: Infrastructure Analysis of Lazarus Group Cyber Attacks on the Cryptocurrency Industry. Retrieved July 29, 2022.
  9. Ostorlab. (n.d.). iOS URL Scheme Hijacking. Retrieved February 9, 2024.
  10. Michael Cobb. (2007, October 11). Preparing for uniform resource identifier (URI) exploits. Retrieved February 9, 2024.
  11. Nathan McFeters. Billy Kim Rios. Rob Carter.. (2008). URI Use and Abuse. Retrieved February 9, 2024.
  12. Australian Cyber Security Centre. National Security Agency. (2020, April 21). Detect and Prevent Web Shell Malware. Retrieved February 9, 2024.
  13. MDSec Research. (2017, July). Categorisation is not a Security Boundary. Retrieved September 20, 2019.
  14. Krebs, B. (2018, November 13). That Domain You Forgot to Renew? Yeah, it’s Now Stealing Credit Cards. Retrieved September 20, 2019.
  15. Mudge, R. (2017, February 6). High-reputation Redirectors and Domain Fronting. Retrieved July 11, 2022.
  16. Fehrman, B. (2017, April 13). How to Bypass Web-Proxy Filtering. Retrieved September 20, 2019.
  17. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016.
  18. Invictus Incident Response. (2024, January 31). The curious case of DangerDev@protonmail.me. Retrieved March 19, 2024.
  19. Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020.
  20. Huntley, S. (2022, March 7). An update on the threat landscape. Retrieved March 16, 2022.
  21. Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020.
  22. Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022.
  23. Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022.
  24. N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022.
  25. Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.
  26. Hawley, S. et al. (2023, February 2). Turla: A Galaxy of Opportunity. Retrieved May 15, 2023.
  27. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021.
  28. PwC Threat Intelligence. (2023, October 25). Yellow Liderc ships its scripts and delivers IMAPLoader malware. Retrieved August 14, 2024.
  29. Ernesto Fernández Provecho, Pham Duy Phuc, Ciana Driscoll & Vinoo Thomas. (2023, November 21). The Continued Evolution of the DarkGate Malware-as-a-Service. Retrieved February 9, 2024.
  30. CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021.
  31. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022.
  32. Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022.
  33. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021.
  34. eSentire. (2021, July 21). Notorious Cybercrime Gang, FIN7, Lands Malware in Law Firm Using Fake Legal Complaint Against Jack Daniels’ Owner, Brown-Forman Inc.. Retrieved September 20, 2021.
  35. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022.
  36. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
  37. Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022.
  38. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19
  39. Dragos. (n.d.). Hexane. Retrieved October 27, 2019.
  40. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022.
  41. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021.
  42. ThreatConnect. (2020, September 28). Kimsuky Phishing Operations Putting In Work. Retrieved October 30, 2020.
  43. Cimpanu, C. (2020, September 30). North Korea has tried to hack 11 officials of the UN Security Council. Retrieved November 4, 2020.
  44. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020.
  45. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020.
  1. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021.
  2. KISA. (2021). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 8, 2024.
  3. Mandiant. (2024, March 14). APT43: North Korean Group Uses Cybercrime to Fund Espionage Operations. Retrieved May 3, 2024.
  4. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021.
  5. Weidemann, A. (2021, January 25). New campaign targeting security researchers. Retrieved December 20, 2021.
  6. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021.
  7. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021.
  8. Accenture iDefense Unit. (2019, March 5). Mudcarp's Focus on Submarine Technologies. Retrieved August 24, 2021.
  9. Certfa Labs. (2021, January 8). Charming Kitten’s Christmas Gift. Retrieved May 3, 2021.
  10. United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019.
  11. US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020.
  12. Microsoft Threat Intelligence. (2024, May 28). Moonstone Sleet emerges as new North Korean threat actor with new bag of tricks. Retrieved August 26, 2024.
  13. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021.
  14. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021.
  15. Roccia, T., Seret, T., Fokker, J. (2021, March 16). Technical Analysis of Operation Dianxun. Retrieved April 13, 2021.
  16. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021.
  17. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021.
  18. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020.
  19. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018.
  20. M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022.
  21. Lauren Podber and Stef Rand. (2022, May 5). Raspberry Robin gets the worm early. Retrieved May 17, 2024.
  22. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020.
  23. Joseph Slowik, DomainTools. (2021, March 3). Centreon to Exim and Back: On the Trail of Sandworm. Retrieved April 6, 2024.
  24. DOJ. (2018, March 23). U.S. v. Rafatnejad et al . Retrieved February 3, 2021.
  25. Hassold, Crane. (2018, March 26). Silent Librarian: More to the Story of the Iranian Mabna Institute Indictment. Retrieved February 3, 2021.
  26. Counter Threat Unit Research Team. (2018, August 24). Back to School: COBALT DICKENS Targets Universities. Retrieved February 3, 2021.
  27. Proofpoint Threat Insight Team. (2019, September 5). Threat Actor Profile: TA407, the Silent Librarian. Retrieved February 3, 2021.
  28. Counter Threat Unit Research Team. (2019, September 11). COBALT DICKENS Goes Back to School…Again. Retrieved February 3, 2021.
  29. Malwarebytes Threat Intelligence Team. (2020, October 14). Silent Librarian APT right on schedule for 20/21 academic year. Retrieved February 3, 2021.
  30. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021.
  31. Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021.
  32. CISA, et al. (2023, December 7). Russian FSB Cyber Actor Star Blizzard Continues Worldwide Spear-phishing Campaigns. Retrieved June 13, 2024.
  33. Microsoft Threat Intelligence. (2023, December 7). Star Blizzard increases sophistication and evasion in ongoing attacks. Retrieved February 13, 2024.
  34. Larson, S. and Wise, J. (2022, February 15). Charting TA2541's Flight. Retrieved September 12, 2023.
  35. Ventura, V. (2021, September 16). Operation Layover: How we tracked an attack on the aviation industry to five years of compromise. Retrieved September 15, 2023.
  36. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022.
  37. Quist, N. (2020, October 5). Black-T: New Cryptojacking Variant from TeamTNT. Retrieved September 22, 2021.
  38. Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023.
  39. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016.
  40. Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021.
  41. Kaspersky Lab's Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017.
  42. Chad Anderson. (2021, April 27). Winter Vivern: A Look At Re-Crafted Government MalDocs Targeting Multiple Languages. Retrieved July 29, 2024.
  43. Burt, T. (2020, September 10). New cyberattacks targeting U.S. elections. Retrieved March 24, 2021.
  44. ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021.