Recently, we found a suspicious GoELFsample, which is a downloder mainly to spread mining malwares. The interesting part is that we noticed it using namesilo’s Parking page and Google’s user-defined page to spread the sample and configuration. Apparently this is yet another attempt to hide control channel to avoid being tracked|monitored|blocked from the malicious actor and it probably has served them well.
The exact sample had been reported by Tencent security team, but the analysis of the propagation is not quite accurate. It is often thought that during the domain parking period (Domain Parking), the content displayed on the page is managed by the domain parking provider, and the actual owner of the domain cannot modify its page content. However, in this case, the domain parking provider allows the domain owner to customize the parking page. The attacker took advantage of this, along with the custom pages provided by Google, to spread his malware.
This has two obvious benefits: on the one hand, the attacker hardly needs to pay any bandwidth and server costs for the malicious code distribution; on the other hand, as the bots ‘talk’ to the domain parking provider and google, the control traffic totally blends in, making it very difficult to be monitored and blocked.
From our DNSMon/DTA monitoring data, we see this new trend has shown signs of increase in recent months.
Origins
On 10.13, our BotnetMon IDed a suspicious GoELF sample that would request a known suspicious domain www[.]hellomeyou.cyou, which Tencent had covered in a previous mining malware report.
There is nothing particularly interesting regarding to the mining part, however, we noted that the DNS resolution of www.hellomeyou.cyou has historically been CNAME to a parking domain parking.namesilo.com
The parking domains are usually registered but not activated, how could they be a part of the malicious sample distribution?
Logging into namesilo’s user service interface, we learned that its ParkingPage is user-definable content, which in turn gives hacker groups the opportunity to exploit it.
Multiple historical snapshots of the site in our DNSMon system showed that the title of the page was a malicious sample link, and the description of the page was xmrig configuration.
At the same time, there is also the exploitation of github and google links in the description, which further analysis shows that both are a part of malware distribution channel. Among them, google’s custom page contains a base64 encoded xmrig mining software.
When talk about Parking domain related security issues, many articles out there would refer to some well known problems, mainly Malvertising and abuse related.
In this case, it is different. This particular case uses the “user-customize” parking page directly for its control channel. Hackers do not need to have their own machines and IPs, they just use the parked pages provided by the domain registrar, as well as the custom pages of google(see the following snapshot) to help spreading their malware. By doing this, the malicious actor totally goes under the radar because all the control channel traffic use these totally legit “public facilities”
Correlation
Through the page similarity correlation analysis, we see a total of 8 web records with similar configurations in the historical data.
Corresponding to the capture of 2 samples
We retraced the history of the malicious samples involving parking.namesilo.com in our BotnetMon and could see an upward trend since June this year, looks like this technique might have been working well, we will keep an eye on it.