Malicious DNS Lookup Analysis and Overlaps with Sanctioned Regions

In cybersecurity, domain hosting isn’t the only thing we need to look at. When we dig deeper into where domains are accessed from, we can uncover some really interesting stuff. By looking where these domains are coming from, we can start to piece together patterns of malicious activity and even link domains to cybercrime operations.

This post summarizes findings from a recent geolocation analysis of suspicious domains, highlighting overlaps with sanctioned countries, signs of Domain Generation Algorithm (DGA) activity, and potential connections to well-known cyber campaigns such as Operation Triangulation.

DNS Lookup Geolocation: Analyzing Origin Instead of Destination

DNS queries are often the earliest signals of malicious intent, revealing where domains are being accessed from rather than simply where they are hosted. This perspective can be invaluable for identifying:

1. Regional Targeting Patterns: Domains with consistent lookup activity from specific regions may indicate a targeted attack or phishing campaign aimed at users in those areas.
   
   
2. Compromised Infrastructure: Lookups from unexpected locations can suggest the presence of infected devices.
   
   
3. Nation-State Involvement: Domains accessed from sanctioned or politically sensitive regions could be linked to nation-state cyber operations.

Let’s dive into the origins of DNS lookups. By doing so, we can uncover patterns that aid in campaign attribution, grasp adversarial movements, and predict potential escalations in cyber activity.

Revealing Patterns: Geographical Clustering of Malicious Domains

The geolocation analysis uncovered some interesting patterns of domain lookups, hinting at possible coordinated campaigns, botnet activity, or sneaky malicious networks. Here’s a breakdown of the most compelling patterns:

• Domains Linked by St. Peter Port, Guernsey, and Tehran, Iran
  Several domains, such as chicostara[.]com and suewyllie[.]com, showed consistent lookup activity from both St. Peter Port and Tehran, Iran. This unusual pattern suggests a network of infected devices in these two separate locations. Both of these domains are associated with the Sality malware, a known threat for its ability to spread via infected files and establish resilient C2 infrastructure.
  
  
• Phishing domains Spanning Brno, Czech Republic, and Virginia Beach, US
  Phishing domains such as soquartiner-w-o-u-r-k-u-pamper-4-4-4[.]xyz and bene.worx-promotions[.]com were searched from two different regions: Brno, Czech Republic, and Virginia Beach, US. This highlights the extent to which phishing campaigns can target victims across various locations.
  
  
• Lumma Stealer Activity Across Chile and Peru
  Domains attributed to the Lumma Stealer malware: milldymarskwom[.]shop, quotamkdsdqo[.]shop, and puredoffustow[.]shop showed significant lookup activity from both Chile and Peru. Lumma Stealer is known for its capability to steal sensitive information from infected devices, and this geographic distribution may indicate a coordinated campaign to compromise users in these Latin American regions.

Operation Triangulation: A Coordinated Campaign in Russian Sanctioned Regions

A deeper dive into the data revealed a set of domains associated with Operation Triangulation. This operation is linked to domains frequently queried from multiple Russian cities, such as Volgograd, Izhevsk, and even parts of Ukraine. The following domains are implicated in this campaign:

• backuprabbit[.]com
• cloudsponcer[.]com
• snoweeanalytics[.]com
• topographyupdates[.]com
• unlimitedteacup[.]com
• virtuallaughing[.]com

Operation Triangulation appears to be orchestrated through a sophisticated network of command-and-control infrastructure spanning these regions. It utilizes DNS queries to manage botnets, distribute payloads, and coordinate attacks. The convergence of lookup sources within designated regions indicates that this campaign might be more extensive than merely targeting Kaspersky’s organization. While we anticipate infections primarily in Russia and Ukraine, it’s particularly interesting to discover infections attributed to this campaign in New York, USA, and London, GB, suggesting that infected devices have traveled outside the targeted region. While it’s plausible that the campaign is linked to research activities, the clustering of several domains within the same region aligns with the pattern of infected devices in Russia and Ukraine.

DGA Patterns in Expiro Botnet Domains

The analysis also highlighted a collection of [.]biz domains exhibiting patterns consistent with Domain Generation Algorithm (DGA) usage. The Expiro botnet is known to employ DGAs to generate multiple domains for its C2 communication, making it difficult for defenders to preemptively block its operations. The following domains were flagged:

• whjovd[.]biz
• uaafd[.]biz
• xccjj[.]biz
• hehckyov[.]biz
• reczwga[.]biz
• ywffr[.]biz
• muapr[.]biz

These domains, along with others, show frequent lookup activity from locations in Karaj, Iran, and Moscow, Russia. The ability to automate domain creation using a DGA allows Expiro to evade static defenses and maintain persistence even when C2 domains are discovered and taken down.

Global Reach of Suspicious Domains: Beyond Sanctioned Locations

The analysis also revealed a surprisingly diverse set of regions involved in lookups for these domains, indicating the presence of compromised devices, proxy networks, or malicious infrastructure in various parts of the world. Here are a few notable examples:

• Small-Town America as a Hotspot
  Domains like dreamwavelogix[.]com and pitbullterrierpuppieshome[.]com were consistently looked up from small towns in Illinois and Indiana. This unusual pattern suggests that local networks in these areas may have been compromised.  While these domains are phishing domains, the consistent and repeated lookup pattern is odd.  Researchers? Sandboxes?  People consistently clicking malicious links?
  
  
• Emerging Cybercrime Hubs in Africa and Latin America
  Domains linked to the Expiro botnet were frequently looked up from Nairobi, Kenya, and Ouagadougou, Burkina Faso, as well as Cuenca, Ecuador. This gives us strong indication that multiple infections are present in these countries specifically.

Actionable Insights: Using Geolocation Data to Enhance Defense

The geolocation insights from this analysis reveal several strategies that security teams can employ to bolster their defenses:

1. Geolocation-Based Blocking
   Implementing geolocation-based filtering for high-risk regions, such as sanctioned countries, can significantly reduce the attack surface.
   
   
2. Prioritizing Alerts for Sanctioned Country Traffic
   DNS lookups from sanctioned regions should be flagged for higher scrutiny, as they may indicate targeted attacks or command-and-control communication.
   
   
3. Integrating DGA Detection
   Building DGA detection into DNS monitoring, like our Protective DNS solution, can help identify infections like Expiro, which rely on automated domain generation for their resilience.
   
   
4. Identifying Compromised Local Networks
   Anomalous lookups from unexpected regions, such as rural areas in the U.S. or less monitored regions in Africa and Latin America, should trigger an investigation into potential compromised networks or relay nodes.

Conclusion

By analyzing where domains are being looked up from—rather than just where they’re hosted—we gain a new perspective on cyber threats. Geolocation analysis, combined with insights into sanctioned regions and campaigns like Operation Triangulation and the Expiro botnet, helps uncover hidden patterns and highlight potential connections to nation-state actors or criminal organizations. Understanding these patterns empowers security teams to strengthen defenses and proactively respond to emerging threats.

At ThreatSTOP, we integrate geolocation insights into our comprehensive DNS protection services, helping organizations detect and block malicious activity no matter where it originates. To learn more about how we can help your organization stay secure, visit our Threat Intelligence Solutions page.

Connect with Customers, Disconnect from Risks.