emotet trojan

Attackers use Emotet and impersonate McAfee to profit from parking domain names

In order to analyze the contents of the current parking area, the researchers collected the parking areas detected from March 2020 to September 2020, and the parking areas whose category was changed from parking to other categories within the same time frame. On average, the researchers found that 27,000 new hosted domains were discovered every day, and 35,000 existing hosted domains were reclassified. All in all, in the past six months, the researchers’ channel has identified 5 million new hosted domains and reclassified 6 million hosted domains into other categories.

Figure 1 summarizes how researchers observed the changes in parking domains during this period. For simplicity, the researchers divided the “URL filtering” categories into four categories: malicious, insecure, suspicious, and benign. Malicious categories include malware, command and control (C2), phishing, and grayware. Adults, gambling and nudity are in an unsafe working class. For suspicious, researchers include suspicious, insufficient content, and high-risk domains. Based on suspicious web content, websites are considered to be suspicious website content, and insufficient content categories are usually applied to blank websites. High risk means that the domain name shows behavior similar to a malicious domain name. The benign category includes all other categories, such as business and economics, computer and Internet information, and shopping. It can be seen from Figure 1 that for hosted domains, the rate of malicious changes is 1.0%, the rate of unsafe work changes is 2.6%, and the rate of suspicious changes is 30.6%. In contrast, the non-benign change rate of the parking category is eight times that of the benign category.

In the past six months, the list of categories that researchers have observed to store domain names has been changed

Figure 2 shows the distribution of the number of days that the researchers finally classified as malicious and benign domains stayed before changing the category. The researchers aggregated the number of category changes during the 10-day parking period and standardized by the total number of domain names in each category. statistics. It can be seen from Figure 2 that more than 25.9% of the malicious categories have been parked for no more than 10 days, which is significantly different from most benign categories, which are parked for about 60-69 days. Researchers speculate that many cybercriminals do not age their domain names (a method used to evade detection characteristics based on the domain name life cycle), but use them to attack as quickly as possible.

Based on observations in the last six months, the number of days the domain was parked before the category was changed

Ecosystem and attack vector

In this section, researchers will further study the benefits of detecting and blocking parking domains. Researchers first decompose the domain name parking ecosystem into different stakeholder groups. Then, the researchers proved that the largest attack vector is domain registration, because an attacker can register a parked domain and turn it malicious at any time. Second, the researchers showed that attackers can abuse the lack of advertising control by some of the smaller ad networks used by the parking service to redirect visitors to malicious or unwanted landing pages. Finally, the researchers proved that even the parking service itself poses a threat to users.


Figure 3 shows the main stakeholder groups and their relationships in the domain name parking ecosystem, namely domain name owners, parking service providers, advertising networks, and advertisers. Please note that the term “stakeholder” used here represents a role and can refer to the same object or multiple objects. The domain name owner owns the hosted domain name and has an incentive to profit from the parking service provider. The parking service provider integrates and organizes objects from the advertising network to profit from user traffic. Advertising networks describe user traffic from parking domains and display advertisements to users of interested advertisers.

As mentioned earlier, domain name owners need to point their NS records to the parking service’s name server to “park” their domain name. Researchers measure the popularity of service providers by examining the DNS NS records of parking domains detected from March 2020 to September 2020. Figure 4 lists the top 15 most popular NS domains. Most of the hosted domain names are resolved by the NS of large registrars, including GoDaddy (domaincontrol[.]com) and NameBright (namebrightdns[.]com). In addition to large registrars and hosting service providers, the researchers also identified several specialized parking service providers. The most popular dedicated provider is Sedo (sedoparking[.]com), which is used by 19.5% of domain names.

List of parking service providers, including registrars, hosting providers and dedicated parking providers

Domain name registration abuse

If the domain name becomes a malicious domain name, it will pose a threat to users. Figure 1 shows that 1.0% of parked domain names eventually become malicious categories, such as C2 and malware. Some attackers seem to park the page in their domain before deploying malicious content, which may amortize the cost.

For example, researchers observed the malicious life cycle of the domain name valleymedicalandsurgicalclinic[.]com, which was registered on July 8, 2020. The researchers’ newly registered domain detector discovered this domain, and the researchers’ parking detector pipeline classified it as “parked” based on the content of the website. Two months later, the researchers’ malware analysis engine WildFire captured multiple URLs. It is part of the global Emotet campaign (for more information, please refer to the researcher’s recent Emotet blog ). Emotet is one of the most popular malware series spread through emails. The documents attached to the phishing emails contain macro scripts that call back from the victim’s computer to the C2 server. Emotet further downloads the payload of the Trojan horse, steals the victim’s credential information, and even damages their computer. Researchers can see many suspicious behaviors from these files, including incorrect file extensions and communications with multiple C2 servers, such as 50.91.114[.]38 and 51.38.124[.]206, as shown in Figure 5. An overview of the various stages of Emotet activities.

The activities observed by researchers so far have been initiated using multiple domains around the world. During this attack, Palo Alto Networks observed targeting various global industries including the United States, the United Kingdom, France, Japan, South Korea, and Italy (e.g. education , Government, energy, manufacturing, construction and telecommunications) organizations. The attack on the French organization also took advantage of the COVID-19 global pandemic: it used Covid19 as the subject of emails, but none of the attacks were successful.

Advertising abuse

The domain parking ecosystem relies on advertisers to profit from user traffic. As mentioned earlier, parking services can show users a list of advertisements (and get paid based on the number of times users click on these ads), or automatically redirect users to advertisers Page (and get paid based on the number of visits by the user). Parking services and advertising networks generally have no means or will to filter malicious advertisers (ie attackers). As a result, users face various threats, such as the spread of malware, the spread of Potentially Unwanted Programs (PUP) and scams. According to the researcher’s experience, the researcher will often observe the distribution of grayware.

Researchers have observed that the attackers abused the domain Peoplesvote[.]uk related to the current US presidential election, which is the seventh most popular domain name parking service allowed due to lack of control, as shown in Figure 4. When visiting Peoplesvote[.]uk, most of the time, an advertisement list page is displayed to the user, as shown in Figure 6. However, sometimes users are first redirected to 0redira[.]com/jr.php, which hosts a development kit script, and then redirected to a survey website to ask the user’s voting preferences, as shown in Figure 7. The development kit script parked on 0redira[.]com/jr.php will silently fingerprint the browser to track the user’s web activity and hide the login URL. It is worth noting that these pages are still active at the time of writing.

Voting preference login page, sometimes seen after visiting peoplesvote[.]uk and redirecting it to the survey website

In addition, the researchers observed that the attackers abused Sedo, the largest dedicated parking service provider. They found a parking domain name xifinity[.]com, which is a cybersquatting domain name imitating xifinity[.]com. SEDO is the world’s leading online domain name dealer and parker with a full range of supporting services. The company is headquartered in Cologne, Germany, and has branches in Boston, USA and London, UK. There are currently more than 2 million customers who conduct domain name transactions on Sedo’s platform in more than 20 languages. When users try to visit the Xfinity website but inadvertently enter another “i”, they will to xifinity[.]com and be redirected to the advertiser page. The researchers determined that the traffic to the domain has been sold to multiple advertisers, one of which is softonic[.]com, which is responsible for providing users with a software download page.

In addition to legitimate advertisers, the researchers also captured multiple redirects of PUPs by attackers. Figure 8 shows one of the abusive landing pages, which is antivirus-protection[.]com-123[.]xyz at the domain preemption level. The landing page attempts to trick users into believing that their computer has been infected and that their McAfee subscription has expired. Clicking the “Continue” button will redirect the user to a legitimate McAfee download page that provides antivirus subscriptions. Researchers believe that the attackers abused McAfee’s membership program to steal advertising revenue.

Compared with other hosted domain names, xifinity[.]com has a high traffic volume as a cybersquatting domain name. From June 2020 to September 2020, researchers observed more than 1,000 DNS requests for xifinity[.]com in the passive DNS dataset. As of this writing, the domain is still active, antivirus-protection[. ]com-123[.]xyz is the same. From the perspective of domain name owners, using parking services is a convenient way to monetize user traffic. However, since abusive advertisers (ie attackers) are not filtered, users are faced with various threats.

The login page imitates McAfee to visit xifinity[.]com

Parking service abuse

Researchers used ztomy[.]com, the 14th most popular parking service provider, to observe several parking pages, which collected personal information about visitors. The researchers found that these pages generate fingerprints of the user’s browser and send them back to the parked domain. The parked page uses a browser fingerprint script from pxlgnpgecom-a.akamaihd[.]net/javascripts/browserfp.min, which collects various private information and tracks user behavior. These browser fingerprints can be used to track visitors’ online activities, allowing ad networks to tailor advertisements to visitors. In addition, domain name owners complained online that the NS records of their domains were configured to bundle NS servers together without realizing it, which can be regarded as a form of domain hijacking.

Example of using ztomy[.]com as the parking domain bridgeplatform[.]biz of the parking service provider

to sum up

All in all, hosted domains put users at risk because they can redirect visitors to malicious or unwanted landing pages, or become completely malicious in the future. Because their utility is vulnerable, and when the researcher’s system is worth assigning a new category, the researcher’s system can quickly reclassify them, so the researcher recommends that Palo Alto Networks next-generation firewall customers use URL filtering or DNS security To block the parking category. Although some people may think this is a bit too cautious due to potential false alarms, the researchers recommend setting up alerts to get more early warning of attacks at a minimum.