National Cyber Warfare Foundation (NCWF) Forums


Uncovering Prolific Puma, Massive Domain Generator & URL Shortener


0 user ratings
2023-11-02 08:08:23
milo
Red Team (CNA)

 - archive -- 

Hackers can exploit Massive Domain Generator and URL Shortener services by creating large numbers of deceptive or malicious domains and using URL shorteners to hide the true destination of links.  This can be used for the following illicit purposes:-  Recently, cybersecurity analysts at Infoblox uncovered a massive domain generator and URL shortener service dubbed “Prolific […]


The post Uncovering Prolific Puma, Massive Domain Generator & URL Shortener appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.



Hackers can exploit Massive Domain Generator and URL Shortener services by creating large numbers of deceptive or malicious domains and using URL shorteners to hide the true destination of links. 





This can be used for the following illicit purposes:- 






  • Phishing attacks




  • Spreading malware




  • Directing unsuspecting users to malicious websites




  • Makes it harder to trace the source of the attacks





Recently, cybersecurity analysts at Infoblox uncovered a massive domain generator and URL shortener service dubbed “Prolific Puma Service.”











Domain Generator and URL Shortener





In 2023, the $8 trillion cybercrime economy ranks third globally. Puma aids this network, crafting deceptive domain names (RDGA) for:-






  • Link shortening




  • Aiding phishing




  • Scams




  • Malware spread 





Disrupting Prolific Puma Service means hitting the criminal economy hard, as they create numerous deceptive domains and shorten links for malicious actors, hiding their actions.





Prolific Puma’s role in the cybercrime supply chain (Source – Infoblox)




This finding highlights the power of using DNS data to spot threats. Prolific Puma was tracked via DNS, showing challenges for domain authorities in controlling abuse. 





Distance from the crime can divert the takedowns, and researchers first spotted Puma domains via RDGA detection six months ago.





Prolific Puma offers covert link shortening for threat actors, and directly accessing an active SLD presents this message:-






  • {“type”: “service”,”name”:”@link-shortener/handler-service”}





Link shorteners simplify web link sharing and tackle social media size limits. When a user clicks, a DNS request resolves the shortening service’s IP, like tinyurl[.]com. 





The web request contains a hash to redirect, and additional DNS queries find the content’s IP. Legitimate users shorten links, but malicious actors may use complex redirection layers.





A notional path (Source – Infoblox)




Malicious use of link shorteners, like TinyURL, BitLy, and Google, is common for phishing. Companies should avoid popular shorteners in emails. Prolific Puma’s services remained low-key.





Investigating link shorteners is tricky, as the final landing page can’t be determined without a full URL. Detecting suspicious domains with no public presence raises questions about their usage.





Prolific Puma registered thousands of usTLD domains since May 2023, violating usTLD rules. The usTLD is known for abuse, and privacy issues persist, mainly with NameSilo as the registrar. 





Private registration in the usTLD is unauthorized but exists, and to combat DNS threats, collaboration is needed.





Threat actors show unique traits in their tactics, and Prolific Puma, a DNS threat actor, uses private registration but public usTLD domains with an email reference to the obscure song ‘October 33’ by the lesser-known band, the Black Pumas. 





They also adopt the name ‘Leila Puma,’ which alludes to the same band and adds a touch of mystery with a personal Ukrainian email.





Indicators of Activity










  • hygmi[.]com




  • yyds[.]is




  • 0cq[.]us




  • 4cu[.]us




  • regz[.]info




  • u5s[.]us




  • 1jb[.]us




  • jrbc[.]info




  • uhje[.]me




  • 0md[.]us




  • fh3[.]us




  • 0qa[.]us




  • 9jw[.]us




  • iv0[.]us




  • od9[.]us




  • rpzp[.]me




  • 8fx[.]us




  • 3vb[.]us




  • r1u[.]us




  • zost[.]link




  • 9ow[.]us




  • sf8i[.]us




  • bu9[.]us




  • ce2[.]us




  • wf6[.]us




  • v8z[.]us




  • zj4[.]us




  • rjvb[.]link




  • fssu[.]link




  • xbsf[.]link




  • wqeh[.]link




  • ymql[.]link




  • 7tz[.]us




  • w6q[.]us




  • giqj[.]me




  • u3q[.]us




  • ke0[.]us




  • v1u[.]us




  • ti7[.]us




  • 2zc[.]us




  • gf6[.]us




  • 6dr[.]us




  • 6or[.]us




  • kc0[.]us




  • 0ty[.]us




  • styi.info




  • 6fe[.]us




  • u8n[.]us




  • d6s[.]us










  • 45[.]32[.]147[.]158




  • 62[.]3[.]15[.]55




  • 45[.]32[.]212[.]77




  • 149[.]248[.]2[.]42





Redirection and landing pages:






  • bwkd[.]me




  • ksaguna[.]com




  • asdboloa[.]com




  • game.co[.]za





Browser-plugin malware domains:






  • fubsdgd[.]com





Prolific Puma registration email address:






  • blackpumaoct33@ukr[.]net





Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.


The post Uncovering Prolific Puma, Massive Domain Generator & URL Shortener appeared first on GBHackers on Security | #1 Globally Trusted Cyber Security News Platform.



Source: gbHackers
Source Link: https://gbhackers.com/domain-generator-and-url-shortener/


Comments
new comment
Nobody has commented yet. Will you be the first?
 
Forum
Red Team (CNA)



Copyright 2012 through 2024 - National Cyber Warfare Foundation - All rights reserved worldwide.