One Domain to Catch Them All: Uncovering Multiple Phishing Domains in the Same Threat Actor’s Hands

8 min readJul 2, 2024

I recently read some excellent research on Threat Intelligence by Matthew, who posted blogs on how to hunt for further threat actor infrastructures starting with a single domain, leading to the discovery of tens of domains under the same umbrella.

His blog posts were truly inspiring! Then I went to pick up a publicly submitted phishing URL sample from Any.Run, analyzing it by focusing on hunting for additional infrastructure used by the same threat actor.

As a result, I discovered an additional 8,481 domains and 3 IP addresses in the same threat actor’s hands.

Now, join me on my adventure in Cyber Threat Intelligence (CTI).

Initial Intelligence

I found an interesting URL submitted to Any.Run from Thailand on June 25, 2024, and it was tagged as “No threats detected.” The original phishing URL is:

hxxps://www.google[.]com/url?q=//www.google.com.co/amp/s/899415.imfgo.org/zagiryegrt/qopfhygt/paorufgh/3ipmnw/pa[redacted]ir@bumrungrad.com

Upon seeing the URL, I immediately recognized the Google URL Redirect tactic. This time, instead of delving into how the threat actor attempts to evade detection, we will focus on hunting the infrastructure.

Figure 1 the phishing URL found on Any.Run was submitted from Thailand.

The destination page of this redirection will land on the domain named yamstel[.]com, which we will count as our initial phishing domain. In this instance, the phishing page is disguised as the Outlook Login Form with the pre-filled user’s email already in the login field pa[redacted]ir@bumrungrad[.]com, identified as the phishing target, as seen in Figure 2.

For those who are curious, Bumrungrad is a super luxury private hospital chain based in Thailand.

Figure 2 the phishing page.

Pivoting on the Initial Phishing Domain

We will begin pivoting on the initial phishing domain, yamstel[.]com. I started by using Whois.com to check the WHOIS record. Besides the registrar information and the registration date of this domain, I found that the domain is behind Cloudflare, making it challenging to acquire further information about the domain.

Figure 3 domain information detail from the WHOIS lookup result

I continued checking the WHOIS lookup result, and fortunately, the registrant data is available to us. The threat actor used the name Suiot Dishak to register the domain, although there is a high chance this could be a fake name. Nonetheless, it is valuable for tracking the campaign in the future.

And now the exciting part happens. You should notice the email address sui89657@proton[.]me in the Registrant Contact information, as depicted in Figure 3. This is the email address used by the threat actor to register the domain.

Figure 3 Registrant Contact detail from the WHOIS lookup result.

Next, I picked up the email address and checked it with a reverse WHOIS lookup using a service like WHOXY.com. I found an additional 18 domains that were registered by the same threat actor, and you can see the domain names in Figure 4.

Figure 4 the results from reverse WHOIS lookup using the email address of the threat actor.

Besides the names of the 18 additional domains, the picture above provides a lot of useful intelligence. For example:

We now know that the favorite registrars of the threat actor are PSI-USA, Inc. and PDR Ltd.. If your organization is on their target list, it’s advisable to monitor domains registered by these registrars when hunting.
Some of the domain names follow the pattern WORD-{TWO LETTER COUNTRY CODES} with the .com Top Level Domain (TLD), for example, atnpetroleum-tz[.]com, coralenregy-ch[.]com, and ahmedfood-pk[.]com.
Upon examining some of the domain names, I noticed that the threat actor used typosquatting to create look-alike domain names of companies from various locations worldwide. For instance, ATN PETROLEUM from Tanzania, Coral Energy from Dubai, and Consolidated Can Manufacturing from Saudi Arabia. I won’t list all of them here, but you can check for targeted companies in the domain IOCs.
The domains were registered between July to November 2023 but were likely used in attacks separated into two waves: the first wave from September to November 2023, and the recent wave in April 2024.

Additionally, if we check the MX records of these domains, we will see that they are using the same service, mailhostbox[.]com.

Figure 5 MX record lookup result.

They tend to use orderbox-dns[.]com as the nameserver for domains that are not behind Cloudflare.

Figure 6 NS record lookup result.

The gathered information will be used as criteria in the correlation process later.

Now that we have retrieved 18 domains from the reverse WHOIS lookup, we can conduct threat intelligence on them to find more infrastructure.

Continuing Pivoting on the Retrieved Domains

To investigate further, we will check the DNS records of these 18 domains using the bulk DNS lookup service named InfoByIp.com, and I must say the results are excellent.

This time, the threat actor did not put all of the domains behind Cloudflare, so we can see the real IP addresses of some domains in the A Records column. There are a total of 3 IP addresses discovered in this case: 5.230.44[.]64, 193.239.84[.]207, and 45.91.171[.]151, as depicted in Figure 7.

Figure 7 DNS lookup result reveals that some of the domains were not placed behind Cloudflare.

To keep this report concise, I will demonstrate the pivoting process using a single IP address from the list: 193.239.84[.]207 on ASN 9009. The same methods can be applied to the other identified IP addresses.

We will use the IP address above to perform a passive DNS lookup and identify any domains hosted on the same server, then examine their maliciousness. For this, we can use the service called SilentPush, similar to what Matthew did. The result returns a total of 130,135 domains shared on the same IP. Since this number is very high and we cannot inspect every domain here, we will focus only on domains with a specific pattern.

Figure 8 the passive DNS lookup results on IP 193.239.84[.]207.

Recall the 18 domains we discovered earlier, registered between July 2023 to November 2023. After applying this time range to the First Seen column, there are still over 4,000 domains in the result.

Next, I attempted to find domains with the pattern WORD-{TWO LETTER COUNTRY CODES} with the .com TLD using the regular expression ^\w+-[a-z]{2}.com$. I intended to use this regex in an advanced query in SilentPush, but unfortunately, I encountered issues with this feature.

Therefore, I opted to conduct the search manually. I acquired the domain list page by page and filtered it using the regex mentioned above until my daily quota was exhausted. Despite this, I managed to retrieve a total of 387 domains from this attempt.

Figure 9 part of the 387 domain names.

In the next step, we need to identify domains that meet the same criteria as the malicious domain we found earlier, which are:

Registered with PSI-USA, Inc. or PDR Ltd.
Using the nameserver orderbox-dns[.]com.
MX record pointing to mailhostbox[.]com.

As of now, the number of domains meeting these criteria has been reduced to 336. I conclude with a high level of confidence that these 336 domains are suspicious.

Figure 10 domain reputation check results from www.bulkblacklist[.]com

The pivoting process is complete at this point. In the real world, you can select any domain or IP address from the results and initiate the pivoting cycle again to hunt for more suspicious domains if desired.

For now, let me show you a sample where I was fortunate enough to find a gold mine.

Muhammad and His Appleseed

I randomly picked the domain zuesmaritime-pe[.]com because, in my case, it is in the first line of the 336 domains list. Upon checking the domain using WHOIS record lookup, I found the email address muhammad.appleseed1@mail[.]ru in the registrant data.

Figure 11 registrant data of the domain zuesmaritime-pe[.]com.

So I grabbed the email address and checked it in the reverse WHOIS lookup. Honestly, the returned data exceeded my expectations because this email address has been used to register 8,127 domain names. Surprisingly, the latest registered domain was just registered on June 26, 2024.

Figure 12 the result from reverse WHOIS lookup.

I also found a blog post from 2020 created by REDTEAM.PL reporting that domains registered using the email address muhammad.appleseed1@mail[.]ru were used in a spear phishing campaign.

Figure 13 spear-phishing campaign reported by REDTEAM.PL.

This means the campaign has been operational for at least 4 years and is still very active. The threat actor has also expanded their capabilities from fraud attempts to AiTM attacks.

Figure 14 this threat actor reminds me of this meme.

Conclusion

We started with one phishing domain, yamstel[.]com, and pivoted to discover another 18 domains registered using the same email address sui89657@proton[.]me.

Following one of its IP addresses, we identified tens of thousands of domains on the same server. Using data gathered from observing the 18 domains, we filtered the results and identified 336 suspicious domains.

We selected one domain from the 336 choices and found the email address muhammad.appleseed1@mail[.]ru, belonging to the phishing threat actor who possesses over 8,127 suspicious domains in their arsenal.

In summary, we have identified and confirmed that the threat actor who attacked Bumrungrad Hospital in Thailand also conducted campaigns targeting organizations worldwide.

For details on Indicators of Compromise (IoCs), please refer to my GitHub repository.

References