Stockpiled domains, also known as domain stockpiling or domain warehousing, refer to the practice of acquiring and holding a large number of domain names. Threat actors leverage this method to carry out attacks like phishing attacks, malware delivery or command-and-control attacks. By registering these domains in bulk, attackers have a vast amount of new, unknown malicious domains they can alternate through when one has been detected.
dnSpy is a popular open-source debugger and .NET assembly editor used for analyzing and modifying .NET programs, software ,and malware. The original software is no longer actively deployed but the source code and newly modified versions can be found on GitHub, meaning it can be duplicated, modified and used by anyone.
Recently, a threat actor created a GitHub repository consisting of a modified version of dnSPY that has the ability to install an assortment of malware, including clipboard hijackers to steal cryptocurrency, a miner, Quasar RAT, and other malicious and unknown payloads, in attempts to steal undisclosed bugs and source codes, gain access to confidential networks and much more. Additionally, the attacker created a convincing website, dnSPY[.]net, and promoted it using a successful and effective campaign. In order to create this site and launch the attack, the adversary purchased a number of domains from different registrars using various accounts, allowing them to alternate between domains when one has been identified by security scanners.
For more information on this particular case study, please refer to the following articles:
Due to adversaries leveraging automation to stockpile a vast amount of domains to use in a malicious campaign, this leaves traces of information about their campaigns in various data sources such as certificate transparency log and passive DNS data. Palo Alto Networks has leveraged this information to build an industry-first detector to identify an attack using stockpiling domains.
We have engineered a vast amount of features to analyze and identify when domains were part of bulk registration and understand when it was registered and by who. We also leverage globally available databases such as transparency logs that include the timestamps of domains where a certificate has been generated. By doing a time correlation of the certificate generation, DNS Security can identify other stockpiled domains registered by an attacker. This information is used to train our ML-powered models in the cloud to identify and prevent malicious stockpiled domains in real time. By detecting stockpiled domains, Palo Alto Networks is able to expand its DNS-layer threat coverage and prevent patient zero.
As of June 2023, DNS Security has detected 959,220 unique stockpiled domain names and additionally continues to identify tens of thousands of malicious domains every week.
The Stockpiled Domain detection has already been added to DNS Security in May, 2023 and is available to customers who are using PAN-OS 10.0 and later. There is no configuration change required for this detection. These domains will be categorized under the DNS grayware category with the default action set to ‘block’.
Find Out More:
Unit 42: Toward Ending the Domain Wars: Early Detection of Malicious Stockpiled Domains
Tech Docs: DNS Security: Cloud-Delivered DNS Signatures and Protections
You must be a registered user to add a comment. If you've already registered, sign in. Otherwise, register and sign in.
| Subject | Likes |
|---|---|
| 2 Likes | |
| 2 Likes | |
| 1 Like | |
| 1 Like | |
| 1 Like |
