Summary:
Silent Push has been investigating the FUNULL content delivery network for two years, uncovering a vast malicious domain cluster linked to various cybercriminal activities. Their findings reveal over 200,000 hostnames generated by a domain generation algorithm, with numerous suspicious indicators and artifacts identified. The research highlights the importance of monitoring such networks for threat detection and response.
#CyberThreats #DomainGenerationAlgorithm #MaliciousIndicators
Silent Push has been investigating the FUNULL content delivery network for two years, uncovering a vast malicious domain cluster linked to various cybercriminal activities. Their findings reveal over 200,000 hostnames generated by a domain generation algorithm, with numerous suspicious indicators and artifacts identified. The research highlights the importance of monitoring such networks for threat detection and response.
#CyberThreats #DomainGenerationAlgorithm #MaliciousIndicators
Keypoints:
Silent Push has monitored the FUNULL CDN for two years, linking it to various cybercriminal campaigns.
FUNULL hosts over 200,000 hostnames, 95% generated by a domain generation algorithm called “Triad Nexus.”
21 subdomains and 42 domains were identified as suspicious indicators.
The analysis revealed 113 email-connected domains and 33 IP addresses, with four being malicious.
274 IP-connected domains were found, with one associated with threats.
11,428 string-connected subdomains were identified, with 16 being malicious.
Suspicious domains were registered between 2002 and 2024, with a significant number being newly registered.
Most suspicious domains were registered in Malaysia and the U.S.
Threat Intelligence API queries indicated that four of the 33 IP addresses were linked to various threats.
Historical data showed that the domain polyfill[.]io resolved to over 100 IP addresses since 2019.
MITRE Techniques
Command and Control (T1071): Utilizes multiple command and control domains to maintain communication with compromised systems.
Domain Generation Algorithm (T1483): Employs algorithms to create a large number of domain names for use in command and control communications.
Phishing (T1566): Engages in deceptive practices to trick users into revealing sensitive information or downloading malware.
Malware Distribution (T1070): Distributes malicious software through various means, including compromised networks and domains.
IoC:
[domain] polyfill[.]io
[domain] valentinogtm[.]com
[ip address] 76.223.67.189
[email] public_email_1@example.com
[email] public_email_2@example.com
[email] public_email_3@example.com
[email] public_email_4@example.com
Full Research: https://circleid.com/posts/a-dns-deep-dive-into-funulls-triad-nexus