Thursday, December 12, 2024
HomeCyber CrimeTriad Nexus, Chinese Hackers Using 200,000 Domains For Widespread Cyber Attack

Triad Nexus, Chinese Hackers Using 200,000 Domains For Widespread Cyber Attack

Published on

SIEM as a Service

Researchers identified FUNNULL, a Chinese CDN, as hosting malicious content, which includes fake trading apps for financial fraud, gambling sites likely used for money laundering, and phishing login pages targeting luxury brands. 

The gambling sites use algorithmically generated domains and Tether cryptocurrency, possibly to bypass blocking and facilitate cross-border money flows. 

FUNNULL acquired polyfill.io, a JavaScript library used by major websites, raising concerns about potential supply chain attacks, lacks a clear takedown process and uses bulletproof hosting tactics, making it difficult to remove malicious content. 

- Advertisement - SIEM as a Service
An error page with a consistent theme referencing FUNNULL
An error page with a consistent theme referencing FUNNULL

A significant global financial fraud campaign leveraging the FUNNULL CDN infrastructure and hosts a vast array of malicious content, including fake trading apps impersonating reputable financial institutions, fraudulent job scams, and numerous suspect gambling websites. 

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

The threat actors employ Domain Generation Algorithms (DGAs) to generate a high volume of unique hostnames, obscuring their malicious activities. 

Its extensive network of Points of Presence (PoPs) distributed across various regions, including major cloud providers like Microsoft and Amazon, facilitates the rapid deployment and dissemination of these fraudulent schemes.

FUNNULL CNAME chains
FUNNULL CNAME chains

FUNNULL, a CDN service with ties to ACB Group, has been implicated in facilitating online gambling activities, as the company operates out of China and caters to a niche market, offering discounted rates for bulk domain management. 

Many gambling websites, including those associated with Suncity Group, a company involved in illegal gambling and money laundering, are hosted on FUNNULL’s servers, suggesting that FUNNULL may be complicit in these illicit activities, potentially violating Chinese laws and international regulations. 

ACB Group public webpage
ACB Group public webpage

An investigation by Silent Push into Suncity Group’s online gambling operations revealed a large network of websites hosted on the FUNNULL content delivery network (CDN). 

It led to the discovery of a GitHub account “xianludh” containing templates for these gambling sites, which suggests a single source creating a significant portion of FUNNULL-hosted content. 

Further investigation of the “xianludh” repository uncovered a page mentioning money laundering and linking to Telegram channels promoting “money-moving” networks, which appear to be facilitated by FUNNULL-hosted websites as well, suggesting a connection between Suncity’s gambling and potential money laundering activities. 

“xianludh” template found on GitHub
“xianludh” template found on GitHub

A large-scale phishing campaign targeting major retail brands, as the attacks, orchestrated by a threat actor leveraging the FUNNULL CDN, involved malicious login pages designed to steal user credentials. 

In order to obtain sensitive information, these phishing websites, which were frequently hosted on subdomains of compromised domains, carried out similar techniques. 

The FUNNULL CDN has also been implicated in other cyberattacks, including a supply chain attack targeting over 110,000 websites through the polyfill.io library, which highlights the potential risks associated with using less reputable CDNs and underscores the importance of vigilant security practices to protect against such threats.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free

Latest articles

Antidot Malware Attacking Employees Android Devices To Inject Malicious Payloads

Researchers discovered a new variant of the AntiDot banking trojan targeting Android mobile devices...

Malicious ESLint Package Let Attackers Steal Data And Inject Remote Code

Cybercriminals exploited typosquatting to deploy a malicious npm package, `@typescript_eslinter/eslint`, targeting developers seeking the...

New Chinese Surveillance Tool Attack Android Users Since 2017

Wuhan Chinasoft Token Information Technology Co., Ltd. developed EagleMsgSpy, a surveillance tool operational since...

ConvoC2 – A Red Teamers Tool To Execute Commands on Hacked Hosts Via Microsoft Teams

A stealthy Command-and-Control (C2) infrastructure Red Team tool named ConvoC2 showcases how cyber attackers...

API Security Webinar

72 Hours to Audit-Ready API Security

APIs present a unique challenge in this landscape, as risk assessment and mitigation are often hindered by incomplete API inventories and insufficient documentation.

Join Vivek Gopalan, VP of Products at Indusface, in this insightful webinar as he unveils a practical framework for discovering, assessing, and addressing open API vulnerabilities within just 72 hours.

Discussion points

API Discovery: Techniques to identify and map your public APIs comprehensively.
Vulnerability Scanning: Best practices for API vulnerability analysis and penetration testing.
Clean Reporting: Steps to generate a clean, audit-ready vulnerability report within 72 hours.

More like this

Antidot Malware Attacking Employees Android Devices To Inject Malicious Payloads

Researchers discovered a new variant of the AntiDot banking trojan targeting Android mobile devices...

Malicious ESLint Package Let Attackers Steal Data And Inject Remote Code

Cybercriminals exploited typosquatting to deploy a malicious npm package, `@typescript_eslinter/eslint`, targeting developers seeking the...

New Chinese Surveillance Tool Attack Android Users Since 2017

Wuhan Chinasoft Token Information Technology Co., Ltd. developed EagleMsgSpy, a surveillance tool operational since...