Common Information
| Type | Value |
|---|---|
| Value |
Domains - T1583.001 |
| Category | Attack-Pattern |
| Type | Mitre-Attack-Pattern |
| Misp Type | Cluster |
| Description | Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free. Adversaries may use acquired domains for a variety of purposes, including for [Phishing](https://attack.mitre.org/techniques/T1566), [Drive-by Compromise](https://attack.mitre.org/techniques/T1189), and Command and Control.(Citation: CISA MSS Sep 2020) Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).(Citation: FireEye APT28)(Citation: PaypalScam) Typosquatting may be used to aid in delivery of payloads via [Drive-by Compromise](https://attack.mitre.org/techniques/T1189). Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute "IDN homograph attacks," creating visually similar lookalike domains used to deliver malware to victim machines.(Citation: CISA IDN ST05-016)(Citation: tt_httrack_fake_domains)(Citation: tt_obliqueRAT)(Citation: httrack_unhcr)(Citation: lazgroup_idn_phishing) Different URIs/URLs may also be dynamically generated to uniquely serve malicious content to victims (including one-time, single use domain names).(Citation: iOS URL Scheme)(Citation: URI)(Citation: URI Use)(Citation: URI Unique) Adversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.(Citation: Categorisation_not_boundary)(Citation: Domain_Steal_CC)(Citation: Redirectors_Domain_Fronting)(Citation: bypass_webproxy_filtering) Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.(Citation: Mandiant APT1) |
| Details | Published | Attributes | CTI | Title | ||
|---|---|---|---|---|---|---|
| Details | Website | 2020-05-01 | 379 | Threat Roundup for April 24 to May 1 | ||
| Details | Website | 2020-05-01 | 38 | The end of Dreambot? Obituary for a loved piece of Gozi | ||
| Details | Website | 2020-04-30 | 5 | APT trends report Q1 2020 | ||
| Details | Website | 2020-04-30 | 24 | EventBot: A New Mobile Banking Trojan is Born | ||
| Details | Website | 2020-04-30 | 31 | Anomali Suspects that China-Backed APT Pirate Panda May Be Seeking Access to Vietnam Government Data Center | ||
| Details | Website | 2020-04-29 | 161 | Upgraded Aggah malspam campaign delivers multiple RATs | ||
| Details | Website | 2020-04-28 | 123 | Hiding in plain sight: PhantomLance walks into a market | ||
| Details | Website | 2020-04-27 | 0 | Attackers exploit 0-day code-execution flaw in the Sophos firewall | ||
| Details | Website | 2020-04-27 | 15 | Beware of the GIF: Account Takeover Vulnerability in Microsoft Teams | ||
| Details | Website | 2020-04-26 | 24 | Use Ghidra to decrypt strings of KpotStealer malware – nullteilerfrei | ||
| Details | Website | 2020-04-24 | 1 | Malicious USB Drives Infect 35,000 Computers With Crypto-Mining Botnet | ||
| Details | Website | 2020-04-24 | 5 | Facebook: Here’s Proof Israeli WhatsApp Hackers Ran Cyberweapons In America | ||
| Details | Website | 2020-04-23 | 72 | Threat Spotlight: MedusaLocker | ||
| Details | Website | 2020-04-23 | 85 | Following ESET’s discovery, a Monero mining botnet is disrupted | WeLiveSecurity | ||
| Details | Website | 2020-04-23 | 0 | 30,000 Percent Increase in COVID-19-Themed Attacks | Zscaler | ||
| Details | Website | 2020-04-22 | 88 | Studying How Cybercriminals Prey on the COVID-19 Pandemic | ||
| Details | Website | 2020-04-22 | 26 | Vietnamese Threat Actors APT32 Targets Wuhan Government | ||
| Details | Website | 2020-04-22 | 26 | Vietnamese Threat Actors APT32 Targeting Wuhan Government and Chinese Ministry of Emergency Management in Latest Example of COVID-19 Related Espionage | Mandiant | ||
| Details | Website | 2020-04-17 | 449 | Threat Roundup for April 10 to April 17 | ||
| Details | Website | 2020-04-17 | 34 | Web Skimmer with a Domain Name Generator | ||
| Details | Website | 2020-04-17 | 71 | Gamaredon APT Group Use Covid-19 Lure in Campaigns | ||
| Details | Website | 2020-04-16 | 54 | PoetRAT: Python RAT uses COVID-19 lures to target Azerbaijan public and private sectors | ||
| Details | Website | 2020-04-16 | 0 | Virtual ENGAGE 20: Insights and Solutions to Help Enterprises Deliver Top Performance | NETSCOUT | ||
| Details | Website | 2020-04-16 | 54 | Exposing Modular Adware: How DealPly, IsErIk, and ManageX Persist in Systems | ||
| Details | Website | 2020-04-16 | 53 | Exposing Modular Adware: How DealPly, IsErIk, and ManageX Persist in Systems |