The number of malicious inactive domains is increasing, and according to researchers, around 22.3 percent of strategically aged domains constitute a threat. Researchers were taken aback when it was revealed that the SolarWinds threat actors depended on domains registered years before their malicious operations began. As a result, attempts to discover strategically aged domains before launching cyberattacks or enabling malicious activities have accelerated.
Palo Alto Networks’ Unit42 released a paper detailing their results after looking at tens of thousands of domains each day from September 2021 to September 2022. They concluded that about 3.8 percent are outright nasty, 19 percent are suspicious, and 2% are dangerous in the workplace. The purpose of registering a domain long before threat actors intend to use it is to generate a “clean record” that will prevent security detection systems from thwarting nefarious efforts.
Because Newly Registered Domains (NRDs) are more likely to be malicious, security solutions evaluate them as suspect and are more likely to flag them. According to Unit42’s analysis, strategically aged domains, on the other hand, are three times more likely to be harmful than NRDs. These domains were idle for two years in some situations before their DNS traffic suddenly rose by 165 times, signaling the start of an attack.
A Pegasus espionage program that used two C2 domains registered in 2019 and activated in July 2021 was one significant example caught by Unit42 in September. DGA domains were critical to the campaign’s success, carrying 23.22 percent of the traffic on the activation day, which was 56 times greater than usual DNS traffic. DGA traffic accounted for 42.04 percent of overall traffic a few days later.
Other real-world examples discovered by the researchers include phishing efforts that exploited DGA subdomains as cloaking layers to send ineligible users and crawlers to genuine sites while sending victims to phishing pages. This demonstrates that these DGAs may be used as proxy layers and C2 domains, depending on the campaign’s requirements. Finally, there have been instances of wildcard DNS abuse in which numerous subdomains refer to the same IP address.
“These hostnames serve randomly generated websites that fill out some website templates with random strings,” details the Unit42 report. “They could be used for black hat SEO. Specifically, these web pages link to each other to obtain a high rank from search engine crawlers without providing valuable information.”
In most situations, smart players that operate in a more structured framework and have long-term goals employ strategically aged domains. They’re used to leverage DGA to exfiltrate data via DNS traffic, act as proxy layers, or mimic famous businesses’ domains (cybersquatting). Although detecting DGA activity remains difficult, defenders may do a lot by monitoring DNS data such as requests, replies, and IP addresses and concentrating on trends.
