<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p style="direction: ltr; text-align: justify;">The website ddd[.]com claims to be a domain registrant and manager, and even if it is - we definitely wouldn't trust this one. Our Security Research team came across this domain while reviewing customer logs, and saw an unusual amount of communications blocked from this domain.</p> <p style="direction: ltr; text-align: justify;"><!--more--><span style="font-size: 16px;"><span style="background-color: transparent;">A simple Google search shows results for a "domain manager", with a description written in substandard English and no other information or referrals. Interestingly, the domain has 0/85 malicious detections on </span><a href="https://www.virustotal.com/gui/domain/ddd.com/detection" rel="noopener" style="background-color: transparent;">VirusTotal </a><span style="background-color: transparent;">by the various threat intelligence and security companies the platform works with, yet the IOC's profile indicates dozens of malicious files related to the domain (files deemed malicious by a VT source are colored red).</span></span></p> <p style="direction: ltr; text-align: justify;">&nbsp;</p> <p style="direction: ltr; text-align: justify;"><img src="https://info.threatstop.com/hubfs/image-png-Jun-06-2021-07-28-09-04-PM.png" loading="lazy" alt="vt detections"></p> <p style="direction: ltr; text-align: justify;"><img src="https://info.threatstop.com/hubfs/image-png-Jun-06-2021-07-37-31-35-PM.png" loading="lazy" alt="vt graph"></p> <p style="direction: ltr; text-align: justify; font-size: 12px;"><em>Images: <a href="https://www.virustotal.com/gui/domain/ddd.com/detection" rel="noopener">VirusTotal</a></em></p> <p style="direction: ltr; text-align: justify;">&nbsp;</p> <p style="direction: ltr; text-align: justify;">This peculiar service has also been related to various types of threats over the last few years on <a href="https://otx.alienvault.com/indicator/domain/ddd.com" rel="noopener">AlienVault's Open Threat Exchange</a>, such as mobile information stealers and malware, data breaches, and the MyDoom malware family. In addition to all the suspicious characteristics mentioned above, ddd[.]com is registered on GoDaddy, which - as we all know by now - has a higher chance of serving up something really bad vs something good compared to other registrars.&nbsp;</p> <p style="direction: ltr; text-align: justify;">&nbsp;</p> <p style="direction: ltr; text-align: justify;"><img src="https://info.threatstop.com/hubfs/image-png-Jun-07-2021-02-34-02-93-PM.png" loading="lazy" alt="otx"></p> <p style="direction: ltr; text-align: justify; font-size: 12px;"><em>Image: <a href="https://otx.alienvault.com/indicator/domain/ddd.com" rel="noopener">OTX</a></em></p> <p style="direction: ltr; text-align: justify;">&nbsp;</p> <p style="direction: ltr; text-align: justify;">This domain has been active for the last two years in our <em>ThreatSTOP </em><span><em>Originated - Core Threats </em>target, a blocklist made up of domains that our Security Research team has determined are a current active threat, that have not shown up in any other threat intelligence feed. This target includes malware droppers, botnet C&amp;Cs, exploit kits, information on trending APT attacks and more. ThreatSTOP analysts build this target by monitoring and analyzing new malware and attacks, and swiftly adding their indicators into our systems, which are propagated to user devices in real time.</span></p> <p style="direction: ltr; text-align: justify;">&nbsp;</p> <p style="direction: ltr; text-align: justify;"><img src="https://info.threatstop.com/hubfs/image-png-Jun-07-2021-02-35-25-19-PM.png" loading="lazy" alt="ThreatSTOP checkioc"></p> <p style="direction: ltr; text-align: justify; font-size: 12px;"><em>Image: <a href="https://check-ioc.threatstop.com/ioc/ddd.com" rel="noopener">ThreatSTOP CheckIOC</a></em></p> <p style="direction: ltr; text-align: justify;">&nbsp;</p> <p style="direction: ltr; text-align: justify;">ThreatSTOP recommends taking caution and blocking domains like this. Especially after seeing tons of connection attempts between our customer networks and this bad domain, we can truly say that if a domain looks like it's up to no good, and it won't cripple anyone's work if you block it, do yourself a favor and protect your devices and employees from impending threats.</p> <p style="text-align: center;">&nbsp;</p> <p style="text-align: center;"><em>Ready to try ThreatSTOP in your network? Want an expert-led demo to see how it works?</em></p> <p style="direction: ltr; text-align: center;">&nbsp; &nbsp; &nbsp; </p></span>
![Bad Domain of the Week: D-D-Don't mess with ddd[.]com](https://www.threatstop.com/hs-fs/hubfs/ddd.png?width=600&height=400&name=ddd.png)
