Monday, October 7, 2024
HomeCyber AttackApateWeb: Hackers Using 130,000+ Domains to Launch Cyber Attacks

ApateWeb: Hackers Using 130,000+ Domains to Launch Cyber Attacks

Published on

A new large-scale campaign named “ApateWeb ” has been discovered, which uses over 130,000 domains to deliver scareware, potentially unwanted programs, and other scam pages. Threat actors use deceptive emails to lure victims into their malicious websites and redirect them to their infrastructure for delivering malware.

This particular campaign has a complex infrastructure with multilayered systems and several redirections between the entry point and the delivery of the final payload. The campaign has been active for the past three years, from 2022 to now. 

The potential impact of this campaign is massive as hundreds of these malicious attacker-controlled domains remain on the top list of 1 million websites, contributing to millions of unique visits every month.

- Advertisement - EHA
ApateWeb Campaign Infrastructure (Source: Unit 42)
ApateWeb Campaign Infrastructure (Source: Unit 42)
Document
Run Free ThreatScan on Your Mailbox

AI-Powered Protection for Business Email Security

Trustifi’s Advanced threat protection prevents the widest spectrum of sophisticated attacks before they reach a user’s mailbox. Try Trustifi Free Threat Scan with Sophisticated AI-Powered Email Protection .

ApateWeb: 130,000+ Domains

According to the reports shared with Cyber Security News, the campaign has a complex workflow and infrastructure setup by threat actors for evading crawlers, bots, security defenders’ scans, and other research mechanisms. However, the campaign can be dissected into three layers.

The First Layer (Layer 1) consists of the entry point URLs distributed to victims through emails. From here, the traffic is routed through the second layer (Layer 2). A series of redirections are performed, including adware or anti-bot verification, and finally, the last layer (Layer 3) is served. 

This final layer delivers the malicious payload, which could be a scareware, PUP, or scam page. 93% of the attacker-owned domains resolve to only 10 IP addresses, which are 

  • 192[.]243[.]59[.]20
  • 192[.]243[.]59[.]13
  • 192[.]243[.]59[.]12
  • 192[.]243[.]61[.]227
  • 192[.]243[.]61[.]225
  • 173[.]233[.]139[.]164
  • 173[.]233[.]137[.]60
  • 173[.]233[.]137[.]52
  • 173[.]233[.]137[.]44
  • 173[.]233[.]137[.]36

Layer 1: Entry Point

The techniques employed in this layer include redirection to search engines, error message displaying for bots/crawlers, and abusing wildcard DNS to generate a large number of subdomains as a means of evading detection.

Moreover, this layer consists of the entry point URL and specific parameters. Failure of these URL parameters results in an error page or no content being served to the victim. Additionally, there is also an initial payload in this layer that can assign Unique identifiers to each visitor.

Layer 2: Intermediate redirections

This layer performs several intermediate redirections using random domains before routing to Layer 3. Moreover, the redirection includes additional parameters which, when examined, revealed that the campaign was able to be monetized by forwarding traffic to the adware.

In addition to this, there are also anti-bot verifications performed in this layer, some of which require human interaction, such as a CAPTCHA. In some cases, Layer 2 is skipped from redirection and directly Layer 3 is served.

CAPTCHA verification (Source: Unit 42)
CAPTCHA verification (Source: Unit 42)

Layer 3: Redirection to Final Payload

This is the final stage of the attack chain, which serves as a web page for downloading the malicious program. Their malicious payloads are found to be hosted on public cloud environments. In some cases, the malicious payloads were also found to be unwanted browsers and extensions.

Payload Delivery (Source: Unit 42)
Payload Delivery (Source: Unit 42)

The campaign has been published by Unit 42, which provides detailed information about the URLs used, methodologies, evasion tactics, and other information.

Indicators of Compromise

Campaign entry point example

  • featuresscanner[.]com

Domains part of centralized infrastructure to track victims

  • professionalswebcheck[.]com
  • hightrafficcounter[.]com
  • proftrafficcounter[.]com
  • experttrafficmonitor[.]com

IP addresses hosting campaign entry point

  • 192[.]243[.]59[.]20
  • 192[.]243[.]59[.]13
  • 192[.]243[.]59[.]12
  • 192[.]243[.]61[.]227
  • 192[.]243[.]61[.]225
  • 173[.]233[.]139[.]164
  • 173[.]233[.]137[.]60
  • 173[.]233[.]137[.]52
  • 173[.]233[.]137[.]44
  • 173[.]233[.]137[.]36

Traffic forwarded to adware

  • tracker-tds[.]info
  • jpadsnow[.]com
  • ad-blocking24[.]net
  • Myqenad24[.]com

PUP download example:

  • bd62d3808ef29c557da64b412c4422935a641c22e2bdcfe5128c96f2ff5b5e99
  • artificius[.]com

Other campaign domains:

  • hoanoola[.]net
  • allureoutlayterrific[.]com

Follow us on LinkedIn for the latest cybersecurity news, whitepapers, infographics, and more. Stay informed and up-to-date with the latest trends in cybersecurity.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Chinese Group Hacked US Court Wiretap Systems

Chinese hackers have infiltrated the networks of major U.S. broadband providers, gaining access to...

19.6K+ Public Zimbra Installations Vulnerable to Code Execution Attacks – CVE-2024-45519

A critical vulnerability in Zimbra's postjournal service, identified as CVE-2024-45519, has left over 19,600...

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...

Microsoft, DOJ Dismantle Domains Used by Russian FSB-Linked Hacking Group

Microsoft and the U.S. Department of Justice (DOJ) have successfully dismantled a network of...

Free Webinar

Decoding Compliance | What CISOs Need to Know

Non-compliance can result in substantial financial penalties, with average fines reaching up to $4.5 million for GDPR breaches alone.

Join us for an insightful panel discussion with Chandan Pani, CISO - LTIMindtree and Ashish Tandon, Founder & CEO – Indusface, as we explore the multifaceted role of compliance in securing modern enterprises.

Discussion points

The Role of Compliance
The Alphabet Soup of Compliance
Compliance
SaaS and Compliance
Indusface's Approach to Compliance

More like this

Chinese Group Hacked US Court Wiretap Systems

Chinese hackers have infiltrated the networks of major U.S. broadband providers, gaining access to...

19.6K+ Public Zimbra Installations Vulnerable to Code Execution Attacks – CVE-2024-45519

A critical vulnerability in Zimbra's postjournal service, identified as CVE-2024-45519, has left over 19,600...

Prince Ransomware Hits UK and US via Royal Mail Phishing Scam

A new ransomware campaign targeting individuals and organizations in the UK and the US...