Skip to content

T1583.001 Domains

Adversaries may acquire domains that can be used during targeting. Domain names are the human readable names used to represent one or more IP addresses. They can be purchased or, in some cases, acquired for free.

Adversaries may use acquired domains for a variety of purposes, including for Phishing, Drive-by Compromise, and Command and Control.3 Adversaries may choose domains that are similar to legitimate domains, including through use of homoglyphs or use of a different top-level domain (TLD).51 Typosquatting may be used to aid in delivery of payloads via Drive-by Compromise. Adversaries may also use internationalized domain names (IDNs) and different character sets (e.g. Cyrillic, Greek, etc.) to execute “IDN homograph attacks,” creating visually similar lookalike domains used to deliver malware to victim machines.2871312

Adversaries may also acquire and repurpose expired domains, which may be potentially already allowlisted/trusted by defenders based on an existing reputation/history.106114

Domain registrars each maintain a publicly viewable database that displays contact information for every registered domain. Private WHOIS services display alternative information, such as their own company data, rather than the owner of the domain. Adversaries may use such private WHOIS services to obscure information about who owns a purchased domain. Adversaries may further interrupt efforts to track their infrastructure by using varied registration information and purchasing domains with different domain registrars.9

Item Value
ID T1583.001
Sub-techniques T1583.001, T1583.002, T1583.003, T1583.004, T1583.005, T1583.006, T1583.007, T1583.008
Tactics TA0042
Platforms PRE
Version 1.2
Created 30 September 2020
Last Modified 30 March 2023

Procedure Examples

ID Name Description
G0006 APT1 APT1 has registered hundreds of domains for use in operations.9
G0007 APT28 APT28 registered domains imitating NATO, OSCE security websites, Caucasus information resources, and other organizations.54445
G0050 APT32 APT32 has set up and operated websites to gather information and deliver malware.26
G1002 BITTER BITTER has registered a variety of domains to host malicious payloads and for C2.15
C0010 C0010 For C0010, UNC3890 actors established domains that appeared to be legitimate services and entities, such as LinkedIn, Facebook, Office 365, and Pfizer.64
C0011 C0011 For C0011, Transparent Tribe registered domains likely designed to appear relevant to student targets in India.68
C0021 C0021 For C0021, the threat actors registered domains for use in C2.72
C0004 CostaRicto For CostaRicto, the threat actors established domains, some of which appeared to spoof legitimate domains.63
G0035 Dragonfly Dragonfly has registered domains for targeting intended victims.46
G1006 Earth Lusca Earth Lusca has registered domains, intended to look like legitimate target domains, that have been used in watering hole attacks.16
G1011 EXOTIC LILY EXOTIC LILY has registered domains to spoof targeted organizations by changing the top-level domain (TLD) to “.us”, “.co” or “.biz”.51
G0137 Ferocious Kitten Ferocious Kitten has acquired domains imitating legitimate sites.37
G0046 FIN7 FIN7 has registered look-alike domains for use in phishing campaigns.36
C0007 FunnyDream For FunnyDream, the threat actors registered a variety of domains.70
G0047 Gamaredon Group Gamaredon Group has registered multiple domains to facilitate payload staging and C2.1920
G1001 HEXANE HEXANE has registered and operated domains for campaigns, often using a security or web technology theme or impersonating the targeted organization.605958
G0136 IndigoZebra IndigoZebra has established domains, some of which were designed to look like official government domains, for their operations.52
G0094 Kimsuky Kimsuky has registered domains to spoof targeted organizations and trusted third parties.433839404142
G0032 Lazarus Group Lazarus Group has acquired domains related to their campaigns to act as distribution points and C2 channels.2122
G0140 LazyScripter LazyScripter has used dynamic DNS providers to create legitimate-looking subdomains for C2.49
G0065 Leviathan Leviathan has established domains that impersonate legitimate entities to use for targeting efforts. 5354
G0059 Magic Hound Magic Hound has registered fraudulent domains such as “mail-newyorker.com” and “news12.com.recover-session-service.site” to target specific victims with phishing attacks.27
G0045 menuPass menuPass has registered malicious domains for use in intrusion campaigns.5657
G0129 Mustang Panda Mustang Panda have acquired C2 domains prior to operations.232425
C0022 Operation Dream Job During Operation Dream Job, Lazarus Group registered a domain name identical to that of a compromised company as part of their BEC effort.69
C0016 Operation Dust Storm For Operation Dust Storm, the threat actors established domains as part of their operational infrastructure.66
C0023 Operation Ghost For Operation Ghost, APT29 registered domains for use in C2 including some crafted to appear as existing legitimate domains.67
C0006 Operation Honeybee During Operation Honeybee, threat actors registered domains for C2.71
C0005 Operation Spalax For Operation Spalax, the threat actors registered hundreds of domains using Duck DNS and DNS Exit.65
G0034 Sandworm Team Sandworm Team has registered domain names and created URLs that are often designed to mimic or spoof legitimate websites, such as email login pages, online file sharing and storage websites, and password reset pages.47
G0122 Silent Librarian Silent Librarian has acquired domains to establish credential harvesting pages, often spoofing the target organization and using free top level domains .TK, .ML, .GA, .CF, and .GQ.282930313233
C0024 SolarWinds Compromise For the SolarWinds Compromise, APT29 acquired C2 domains, sometimes through resellers.6162
G0092 TA505 TA505 has registered domains to impersonate services such as Dropbox to distribute malware.48
G0139 TeamTNT TeamTNT has obtained domains to host their payloads.55
G0027 Threat Group-3390 Threat Group-3390 has registered domains for C2.50
G0134 Transparent Tribe Transparent Tribe has registered domains to mimic file sharing, government, defense, and research websites for use in targeted campaigns.1718
G0044 Winnti Group Winnti Group has registered domains for C2 that mimicked sites of their intended targets.35
G0128 ZIRCONIUM ZIRCONIUM has purchased domains for use in targeted campaigns.34

Mitigations

ID Mitigation Description
M1056 Pre-compromise Organizations may intentionally register similar domains to their own to deter adversaries from creating typosquatting domains. Other facets of this technique cannot be easily mitigated with preventive controls since it is based on behaviors performed outside of the scope of enterprise defenses and controls.

Detection

ID Data Source Data Component
DS0038 Domain Name Active DNS

References

  1. Bob Sullivan. (2000, July 24). PayPal alert! Beware the ‘PaypaI’ scam. Retrieved March 2, 2017. 

  2. CISA. (2019, September 27). Security Tip (ST05-016): Understanding Internationalized Domain Names. Retrieved October 20, 2020. 

  3. CISA. (2020, September 14). Alert (AA20-258A): Chinese Ministry of State Security-Affiliated Cyber Threat Actor Activity. Retrieved October 1, 2020. 

  4. Fehrman, B. (2017, April 13). How to Bypass Web-Proxy Filtering. Retrieved September 20, 2019. 

  5. FireEye. (2015). APT28: A WINDOW INTO RUSSIA’S CYBER ESPIONAGE OPERATIONS?. Retrieved August 19, 2015. 

  6. Krebs, B. (2018, November 13). That Domain You Forgot to Renew? Yeah, it’s Now Stealing Credit Cards. Retrieved September 20, 2019. 

  7. Malhotra, A., McKay, K. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal . Retrieved July 29, 2022. 

  8. Malhotra, A., Thattil, J. et al. (2022, March 29). Transparent Tribe campaign uses new bespoke malware to target Indian government officials . Retrieved September 6, 2022. 

  9. Mandiant. (n.d.). APT1 Exposing One of China’s Cyber Espionage Units. Retrieved July 18, 2016. 

  10. MDSec Research. (2017, July). Categorisation is not a Security Boundary. Retrieved September 20, 2019. 

  11. Mudge, R. (2017, February 6). High-reputation Redirectors and Domain Fronting. Retrieved July 11, 2022. 

  12. RISKIQ. (2017, December 20). Mining Insights: Infrastructure Analysis of Lazarus Group Cyber Attacks on the Cryptocurrency Industry. Retrieved July 29, 2022. 

  13. RISKIQ. (2022, March 15). RiskIQ Threat Intelligence Roundup: Campaigns Targeting Ukraine and Global Malware Infrastructure. Retrieved July 29, 2022. 

  14. ThreatConnect. (2020, December 15). Infrastructure Research and Hunting: Boiling the Domain Ocean. Retrieved October 12, 2021. 

  15. Dela Paz, R. (2016, October 21). BITTER: a targeted attack against Pakistan. Retrieved June 1, 2022. 

  16. Chen, J., et al. (2022). Delving Deep: An Analysis of Earth Lusca’s Operations. Retrieved July 1, 2022. 

  17. Huss, D. (2016, March 1). Operation Transparent Tribe. Retrieved June 8, 2016. 

  18. Malhotra, A. et al. (2021, May 13). Transparent Tribe APT expands its Windows malware arsenal. Retrieved September 2, 2021. 

  19. Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022. 

  20. Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022. 

  21. Cybersecurity and Infrastructure Security Agency. (2021, February 21). AppleJeus: Analysis of North Korea’s Cryptocurrency Malware. Retrieved March 1, 2021. 

  22. Weidemann, A. (2021, January 25). New campaign targeting security researchers. Retrieved December 20, 2021. 

  23. Counter Threat Unit Research Team. (2019, December 29). BRONZE PRESIDENT Targets NGOs. Retrieved April 13, 2021. 

  24. Insikt Group. (2020, July 28). CHINESE STATE-SPONSORED GROUP ‘REDDELTA’ TARGETS THE VATICAN AND CATHOLIC ORGANIZATIONS. Retrieved April 13, 2021. 

  25. Roccia, T., Seret, T., Fokker, J. (2021, March 16). Technical Analysis of Operation Dianxun. Retrieved April 13, 2021. 

  26. Adair, S. and Lancaster, T. (2020, November 6). OceanLotus: Extending Cyber Espionage Operations Through Fake Websites. Retrieved November 20, 2020. 

  27. Certfa Labs. (2021, January 8). Charming Kitten’s Christmas Gift. Retrieved May 3, 2021. 

  28. DOJ. (2018, March 23). U.S. v. Rafatnejad et al . Retrieved February 3, 2021. 

  29. Hassold, Crane. (2018, March 26). Silent Librarian: More to the Story of the Iranian Mabna Institute Indictment. Retrieved February 3, 2021. 

  30. Counter Threat Unit Research Team. (2018, August 24). Back to School: COBALT DICKENS Targets Universities. Retrieved February 3, 2021. 

  31. Proofpoint Threat Insight Team. (2019, September 5). Threat Actor Profile: TA407, the Silent Librarian. Retrieved February 3, 2021. 

  32. Counter Threat Unit Research Team. (2019, September 11). COBALT DICKENS Goes Back to School…Again. Retrieved February 3, 2021. 

  33. Malwarebytes Threat Intelligence Team. (2020, October 14). Silent Librarian APT right on schedule for 20/21 academic year. Retrieved February 3, 2021. 

  34. Burt, T. (2020, September 10). New cyberattacks targeting U.S. elections. Retrieved March 24, 2021. 

  35. Kaspersky Lab’s Global Research and Analysis Team. (2013, April 11). Winnti. More than just a game. Retrieved February 8, 2017. 

  36. eSentire. (2021, July 21). Notorious Cybercrime Gang, FIN7, Lands Malware in Law Firm Using Fake Legal Complaint Against Jack Daniels’ Owner, Brown-Forman Inc.. Retrieved September 20, 2021. 

  37. GReAT. (2021, June 16). Ferocious Kitten: 6 Years of Covert Surveillance in Iran. Retrieved September 22, 2021. 

  38. Cimpanu, C. (2020, September 30). North Korea has tried to hack 11 officials of the UN Security Council. Retrieved November 4, 2020. 

  39. CISA, FBI, CNMF. (2020, October 27). https://us-cert.cisa.gov/ncas/alerts/aa20-301a. Retrieved November 4, 2020. 

  40. Dahan, A. et al. (2020, November 2). Back to the Future: Inside the Kimsuky KGH Spyware Suite. Retrieved November 6, 2020. 

  41. Jazi, H. (2021, June 1). Kimsuky APT continues to target South Korean government using AppleSeed backdoor. Retrieved June 10, 2021. 

  42. KISA. (n.d.). Phishing Target Reconnaissance and Attack Resource Analysis Operation Muzabi. Retrieved March 7, 2022. 

  43. ThreatConnect. (2020, September 28). Kimsuky Phishing Operations Putting In Work. Retrieved October 30, 2020. 

  44. Brady, S . (2018, October 3). Indictment - United States vs Aleksei Sergeyevich Morenets, et al.. Retrieved October 1, 2020. 

  45. Huntley, S. (2022, March 7). An update on the threat landscape. Retrieved March 16, 2022. 

  46. CISA. (2020, December 1). Russian State-Sponsored Advanced Persistent Threat Actor Compromises U.S. Government Targets. Retrieved December 9, 2021. 

  47. Scott W. Brady. (2020, October 15). United States vs. Yuriy Sergeyevich Andrienko et al.. Retrieved November 25, 2020. 

  48. Financial Security Institute. (2020, February 28). Profiling of TA505 Threat Group That Continues to Attack the Financial Sector. Retrieved July 14, 2022. 

  49. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 24, 2021. 

  50. Daniel Lunghi. (2023, March 1). Iron Tiger’s SysUpdate Reappears, Adds Linux Targeting. Retrieved March 20, 2023. 

  51. Stolyarov, V. (2022, March 17). Exposing initial access broker with ties to Conti. Retrieved August 18, 2022. 

  52. CheckPoint Research. (2021, July 1). IndigoZebra APT continues to attack Central Asia with evolving tools. Retrieved September 24, 2021. 

  53. CISA. (2021, July 19). (AA21-200A) Joint Cybersecurity Advisory – Tactics, Techniques, and Procedures of Indicted APT40 Actors Associated with China’s MSS Hainan State Security Department. Retrieved August 12, 2021. 

  54. Accenture iDefense Unit. (2019, March 5). Mudcarp’s Focus on Submarine Technologies. Retrieved August 24, 2021. 

  55. Quist, N. (2020, October 5). Black-T: New Cryptojacking Variant from TeamTNT. Retrieved September 22, 2021. 

  56. United States District Court Southern District of New York (USDC SDNY) . (2018, December 17). United States of America v. Zhu Hua and Zhang Shilong. Retrieved April 17, 2019. 

  57. US District Court Southern District of New York. (2018, December 17). United States v. Zhu Hua Indictment. Retrieved December 17, 2020. 

  58. ClearSky Cyber Security . (2021, August). New Iranian Espionage Campaign By “Siamesekitten” - Lyceum. Retrieved June 6, 2022. 

  59. Dragos. (n.d.). Hexane. Retrieved October 27, 2019. 

  60. SecureWorks 2019, August 27 LYCEUM Takes Center Stage in Middle East Campaign Retrieved. 2019/11/19  

  61. Nafisi, R., Lelli, A. (2021, March 4). GoldMax, GoldFinder, and Sibot: Analyzing NOBELIUM’s layered persistence. Retrieved March 8, 2021. 

  62. Smith, L., Leathery, J., Read, B. (2021, March 4). New SUNSHUTTLE Second-Stage Backdoor Uncovered Targeting U.S.-Based Entity; Possible Connection to UNC2452. Retrieved March 12, 2021. 

  63. The BlackBerry Research and Intelligence Team. (2020, November 12). The CostaRicto Campaign: Cyber-Espionage Outsourced. Retrieved May 24, 2021. 

  64. Mandiant Israel Research Team. (2022, August 17). Suspected Iranian Actor Targeting Israeli Shipping, Healthcare, Government and Energy Sectors. Retrieved September 21, 2022. 

  65. M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022. 

  66. Gross, J. (2016, February 23). Operation Dust Storm. Retrieved December 22, 2021. 

  67. Faou, M., Tartare, M., Dupuy, T. (2019, October). OPERATION GHOST. Retrieved September 23, 2020. 

  68. N. Baisini. (2022, July 13). Transparent Tribe begins targeting education sector in latest campaign. Retrieved September 22, 2022. 

  69. Breitenbacher, D and Osis, K. (2020, June 17). OPERATION IN(TER)CEPTION: Targeted Attacks Against European Aerospace and Military Companies. Retrieved December 20, 2021. 

  70. Vrabie, V. (2020, November). Dissecting a Chinese APT Targeting South Eastern Asian Government Institutions. Retrieved September 19, 2022. 

  71. Sherstobitoff, R. (2018, March 02). McAfee Uncovers Operation Honeybee, a Malicious Document Campaign Targeting Humanitarian Aid Groups. Retrieved May 16, 2018. 

  72. Dunwoody, M., et al. (2018, November 19). Not So Cozy: An Uncomfortable Examination of a Suspected APT29 Phishing Campaign. Retrieved November 27, 2018.