<span id="hs_cos_wrapper_post_body" class="hs_cos_wrapper hs_cos_wrapper_meta_field hs_cos_wrapper_type_rich_text" style="" data-hs-cos-general-type="meta_field" data-hs-cos-type="rich_text" ><p>Dynamic DNS services are oftentimes used for legitimate purposes - until they're not. These services allow a domain name to point to 'moving' resources on the Internet that changes their public IP address at varying intervals. A small business may use a DynDNS service legitimately for network management due to DHCP, yet many threat actors abuse dynamic DNS to mask their activity, identity, and physical location.</p> <p><!--more--></p> <p style="direction: ltr;"><span style="background-color: transparent;"><span style="font-size: 1em;">Our team came across Mooo[.]com while researching the infrastructure of an attack campaign by APT-C-59, a Chinese cyber gang that surfaced in 2020 (also dubbed Wuqiongdong). One of the attack domains, hao.360.mooo[.]com, led us to research </span><span style="font-size: 1em;">the dynamic DNS service FreeDNS as a platform used for malware distribution.</span></span></p> <p><em><span style="font-size: 12px;"><img src="https://www.threatstop.com/hubfs/mooo-otx-1.png" alt="mooo-otx-1" width="1038" loading="lazy" style="width: 1038px;"></span></em><em><span style="font-size: 12px;">Image: <a href="https://otx.alienvault.com/indicator/domain/mooo.com" rel="noopener" target="_blank">AlienVault OTX</a></span></em></p> <p>Providing domain hosting, as well as static and dynamic DNS services for free - FreeDNS is a classic example of a service that your neighbor's teen will use to kick off their online hat store, and cyber criminals will use to host infection sites and C2's for malware. All four FreeDNS afraid[.]org nameservers related to Mooo[.]com are also known for malicious activity on <a href="https://www.virustotal.com/gui/domain/ns1.afraid.org/detection" rel="noopener" target="_blank">VirusTotal</a>.</p> <p>If your business' daily activity relies on viewing a variety of esoteric small business websites, it may not be worthwhile for you to block fishy, free dynamic DNS services, even if the price is being much more vulnerable to a malware or ransomware attack. But if your employees aren't supposed to be constantly scouring the web for unofficial websites like peel[.]mooo[.]com or bbqsauce[.]mooo[.]com, we definitely recommend blocking services like this one as a whole. Our team recently reviewed the free Dynamic DNS service <a href="/blog/duckdns-malicious-typosquats" rel="noopener" target="_blank">DuckDNS</a>, which serves as another example of dynamic DNS hosting a ton of badness, and very little critical web destinations (if any).</p> <p>Another important lesson to learn from the comprehensive use of dynamic DNS today is that it's not enough to block cyber attacker infrastructure IPs. Blocking the IP provides only momentary protection, quickly becoming obsolete when the domain changes locations. With ThreatSTOP Protective DNS, users are protected at the domain level. No matter which IP hao.360.mooo[.]com (or any other malicious&nbsp; dynamic domain) resolves to - ThreatSTOP has you covered.</p> <p>&nbsp;</p> <div> <div> <p style="font-weight: bold;"><em>Ready to try ThreatSTOP in your network? Want an expert-led demo to see how it works?</em></p> </div> </div> <aside></aside></span>
![Mooove away from Mooo[.]com by FreeDNS](https://www.threatstop.com/hs-fs/hubfs/mooo.png?width=600&height=400&name=mooo.png)
