Ever since we posted about Duck DNS  at the end of last year, we have seen a ton of curiosity about the free dynamic DNS hosting provider. As a reminder - Duck DNS allows anyone to route traffic from one of their subdomains (*.duckdns[.]org) to an IP of choice. Since this free service is so prevalently used, cyber attackers are joining the club and exploiting the service. Not only is it bad enough that it's already easy to abuse a free dynamic dns hosting service for malware, hackers are creating Duck DNS typosquats too.

In our previous post, we showed an IP infrastructure that hosts these typosquats. The parent domains and their related IPs were:

Domains
ducksdns[.]org
duckddns[.]org
ducknds[.]org
duck-dns[.]org
ducksns[.]org
duckcns[.]org
dockdns[.]org
dukdns[.]org
ducdns[.]org
duc.kdns[.]org
duckns[.]org
duck.dns[.]org
 
IPs
170.178.168[.]203
103.224.182[.]242
70.32.1[.]32
81.171.22[.]7
23.82.12[.]31
192.185.167[.]252
199.59.242[.]153
 

An updated analysis on the infrastructure shows that the core IPs (170.178.168[.]203, 103.224.182[.]242, 70.32.1[.]32) are still hosting much of the infrastructure, while additional IPs have joined in to host various Duck DNS typosquat subdomains. Based on the infrastructure dispersion seen below, and differences registrars and registration dates, we can guess that there are a few hackers/cyber groups that are trying to capitalize on Duck DNS typosquat abuse. And the worst part is - many of the fake domains listed above are in the list of most popular websites on the internet, meaning they are being "visited" (infecting victims) at a high rate.

duckdns_typosquats_virustotalImage courtesy of VirusTotal

 

If you are a ThreatSTOP customer, you are automatically protected from this threat infrastructure and others like it. Not a ThreatSTOP customer yet? Want to see ThreatSTOP instantly eliminate attacks on your network?

Get a Demo

Note: ThreatSTOP customers that want to block dynamic DNS providers altogether can simply add our DynDNS target to their policy for instant protection.

 

Indicators of compromise from updated analysis:

Subdomains Hosted IP
*.ducksdns[.]org 23.82.12[.]32
5.79.68[.]102
212.32.237[.]101
23.82.12[.]29
212.32.237[.]92
23.82.12[.]30
212.32.237[.]91
23.82.12[.]31
212.32.237[.]90
*.duckddns[.]org
*.ducknds[.]org
*.duck-dns[.]org
*.duckcns[.]org
*.dockdns[.]org
*.ducknds[.]org		 70.32.1[.]32
103.224.182[.]242
170.178.168[.]203
*.ducksns[.]org 75.2.37[.]224
*.duc.kdns[.]org 72.52.178[.]23
*.duckns[.]org 172.98.192[.]36
93.115.28[.]104
63.143.32[.]89
172.98.192[.]35
109.201.135[.]44
172.98.192[.]37
199.59.243[.]200
199.59.242[.]153
64.190.63[.]136
78.41.204[.]33
78.41.204[.]27
78.41.204[.]34
78.41.204[.]32
78.41.204[.]26
duck.dns[.]org: 192.185.167[.]252