Romance-themed malicious campaigns are launched throughout the year, but days leading up to Valentine’s Day could be particularly timely for such activities. WhoisXML API researchers analyzed more than 70 indicators of compromise (IoCs) related to multiple romance-themed campaigns, including a Japanese online dating scam, the BazaLoader campaign, and the romance-crypto malicious combo dubbed “CryptoRom.” We uncovered several connections and artifacts, and our analysis includes the following:
- Unredacted registrant email addresses of the malicious domains gleaned from WHOIS history records
- Thousands of domains sharing the unredacted registrant email addresses
- Possible use of domain generation algorithms (DGAs) in several of the IoCs
- Hundreds of DGA-using domains recently registered in bulk in the last week of January 2022
You may download the complete list of IoCs, artifacts, and other data points from our website.
Historical WHOIS Yields Thousands of Domain Connections
While some of the domains tagged as IoCs have been left to expire and several active ones had redacted WHOIS records, WHOIS history still left breadcrumbs that allowed us to trace domain connections. In particular, we discovered nine unredacted registrant email addresses, several of which were Yahoo! email addresses.
Current and historic reverse WHOIS searches for these email addresses yielded 10,156 additional domain names. At one point, these domains shared the same registrant with the IoCs, making them suspicious at the very least.
Machine-Generated Domains
Besides the registrant email addresses, the connected domains had other characteristics in common with the IoCs. One, a majority of the IoCs show patterns consistent with that of DGAs. The same was true for the artifacts we discovered. A few examples are shown below.
Japan Online Dating Scam IoCs | Connected Domains | CryptoRom IoCs | Connected Domains |
---|---|---|---|
bgmdvusqbsx[.]jp bwsyxpadka[.]jp[.]com crsiystr399[.]jp cwiabwtrrt[.]jp kgwhha-erwgh[.]com |
iuehbja-rwj74a[.]com khsg-aapop4aq[.]com hgwehgah-77[.]com xxcdmfva-9axxc[.]com ttishw-wagha7a8[.]com |
qqkkd[.]com slhb518[.]com bxjys[.]xyz fxtmjy[.]com gpwtrad[.]com |
hqhcw[.]net hjqhw[.]net 242302[.]com 375364[.]com 721504[.]com |
The WHOIS records of these domains showed that some were registered on the same day. They may have been registered in bulk, along with other similar-looking domains, and used by threat actors gradually—a behavior that is consistent with what we found in a research study focusing on more than 13,000 domains bulk-registered on the same day. We discussed our findings in detail in this webinar. But what stood out was that bulk registration can serve as an early-warning mechanism for identifying suspicious domains.
We can find more suspicious web properties using DGA usage and bulk registration as criteria. For instance, on 24—30 January 2022, the Typosquatting Data Feed picked up several groups of DGA-using domains. The largest group consists of 305 domains registered on 30 January 2022 and uses the .xyz top-level domain (TLD).
While these domains may not be direct artifacts of the romance-themed campaigns in this study, they are helpful when conducting IoC list expansion. We included these domains in the downloadable threat research materials, along with two other groups of bulk-registered DGA-using domains.
Adult Content
Subjecting a sample of the connected domains to a screenshot analysis revealed the type of content they host. While some were parked, several hosted adult-related content.
Malicious Domain Alert
We also ran a malware check on a sample comprising 56% of the total number of connected domains and found that 16 were malicious, including:
- iueyughba-55ea[.]com
- 031632[.]com
- ddxxp[.]com
- 092286[.]com
- qqhhm[.]com
Some Internet users might be lured into visiting online dating sites and other websites promising gifts, companionship, and other Valentine’s Day treats in the days leading up to the occasion. This type of campaign may use domains that utilize DGAs, among others, based on past behaviors. We just uncovered more than 10,000 domains that could be related to past IoCs.
Looking out for more related domains through WHOIS record heuristics can help warn people against domains that could figure in malicious campaigns.
If you are a threat researcher or cybersecurity professional interested in the IoCs and artifacts presented in this study, please contact us to learn more about our cyber threat intelligence sources and possible research collaboration.