Triad Nexus, Chinese Hackers Using 200,000 Domains For Widespread Cyber Attack

Researchers identified FUNNULL, a Chinese CDN, as hosting malicious content, which includes fake trading apps for financial fraud, gambling sites likely used for money laundering, and phishing login pages targeting luxury brands. 

The gambling sites use algorithmically generated domains and Tether cryptocurrency, possibly to bypass blocking and facilitate cross-border money flows. 

FUNNULL acquired polyfill.io, a JavaScript library used by major websites, raising concerns about potential supply chain attacks, lacks a clear takedown process and uses bulletproof hosting tactics, making it difficult to remove malicious content. 

A significant global financial fraud campaign leveraging the FUNNULL CDN infrastructure and hosts a vast array of malicious content, including fake trading apps impersonating reputable financial institutions, fraudulent job scams, and numerous suspect gambling websites. 

2024 MITRE ATT&CK Evaluation Results for SMEs & MSPs -> Download Free Guide

The threat actors employ Domain Generation Algorithms (DGAs) to generate a high volume of unique hostnames, obscuring their malicious activities. 

Its extensive network of Points of Presence (PoPs) distributed across various regions, including major cloud providers like Microsoft and Amazon, facilitates the rapid deployment and dissemination of these fraudulent schemes.

FUNNULL, a CDN service with ties to ACB Group, has been implicated in facilitating online gambling activities, as the company operates out of China and caters to a niche market, offering discounted rates for bulk domain management. 

Many gambling websites, including those associated with Suncity Group, a company involved in illegal gambling and money laundering, are hosted on FUNNULL’s servers, suggesting that FUNNULL may be complicit in these illicit activities, potentially violating Chinese laws and international regulations. 

An investigation by Silent Push into Suncity Group’s online gambling operations revealed a large network of websites hosted on the FUNNULL content delivery network (CDN). 

It led to the discovery of a GitHub account “xianludh” containing templates for these gambling sites, which suggests a single source creating a significant portion of FUNNULL-hosted content. 

Further investigation of the “xianludh” repository uncovered a page mentioning money laundering and linking to Telegram channels promoting “money-moving” networks, which appear to be facilitated by FUNNULL-hosted websites as well, suggesting a connection between Suncity’s gambling and potential money laundering activities. 

A large-scale phishing campaign targeting major retail brands, as the attacks, orchestrated by a threat actor leveraging the FUNNULL CDN, involved malicious login pages designed to steal user credentials. 

In order to obtain sensitive information, these phishing websites, which were frequently hosted on subdomains of compromised domains, carried out similar techniques. 

The FUNNULL CDN has also been implicated in other cyberattacks, including a supply chain attack targeting over 110,000 websites through the polyfill.io library, which highlights the potential risks associated with using less reputable CDNs and underscores the importance of vigilant security practices to protect against such threats.

Investigate Real-World Malicious Links, Malware & Phishing Attacks With ANY.RUN – Try for Free