APT groups are registering domains for command and control (C2), long before launching their attacks, to stay undetected. Recent research claims that 22.3% of aged domain owners may return dangerous outcomes, as these dormant domains are increasingly being misused by attackers.
What has happened?
In September 2021, security analysts tracked tens of thousands of domains. The analysis has revealed some interesting statistics as provided below.
Approximately 3.8% of all domains are malicious, 19% suspicious, and 2% unsafe for work environments.
Such high numbers of malicious and dormant domains are a serious risk to all internet users.
Abuse of aged domains
The attackers are registering domains years before using them for creating clean records. This allows them to avoid security detection solutions and successfully run their malicious campaigns.
The malware can stay dormant for years and can be activated using C2 domains and produce a huge amount of malicious traffic without raising much suspicion.
These suspicious domains can be used to abuse the Domain Generation Algorithm (DGA) to exfiltrate data using DNS traffic and provide proxy layers.
The common tools and techniques used by the attackers include spyware, phishing, and wildcard DNS Abuse.
Registering C2 domains a year before carrying out attacks shows the strategic prowess of APT groups. According to experts, monitoring DNS data (e.g. queries, responses, IP addresses) and focusing on recognizing malicious patterns may allow better protection.