More Bad IPs from duckdns.org Typosquats

Ever since we posted about Duck DNS  at the end of last year, we have seen a ton of curiosity about the free dynamic DNS hosting provider. As a reminder - Duck DNS allows anyone to route traffic from one of their subdomains (*.duckdns[.]org) to an IP of choice. Since this free service is so prevalently used, cyber attackers are joining the club and exploiting the service. Not only is it bad enough that it's already easy to abuse a free dynamic dns hosting service for malware, hackers are creating Duck DNS typosquats too.

In our previous post, we showed an IP infrastructure that hosts these typosquats. The parent domains and their related IPs were:

An updated analysis on the infrastructure shows that the core IPs (170.178.168[.]203, 103.224.182[.]242, 70.32.1[.]32) are still hosting much of the infrastructure, while additional IPs have joined in to host various Duck DNS typosquat subdomains. Based on the infrastructure dispersion seen below, and differences registrars and registration dates, we can guess that there are a few hackers/cyber groups that are trying to capitalize on Duck DNS typosquat abuse. And the worst part is - many of the fake domains listed above are in the list of most popular websites on the internet, meaning they are being "visited" (infecting victims) at a high rate.

Image courtesy of VirusTotal

If you are a ThreatSTOP customer, you are automatically protected from this threat infrastructure and others like it. Not a ThreatSTOP customer yet? Want to see ThreatSTOP instantly eliminate attacks on your network?

Note: ThreatSTOP customers that want to block dynamic DNS providers altogether can simply add our DynDNS target to their policy for instant protection.

Indicators of compromise from updated analysis: