Thursday, November 30, 2023

Uncovering Prolific Puma, Massive Domain Generator & URL Shortener

Hackers can exploit Massive Domain Generator and URL Shortener services by creating large numbers of deceptive or malicious domains and using URL shorteners to hide the true destination of links. 

This can be used for the following illicit purposes:- 

  • Phishing attacks
  • Spreading malware
  • Directing unsuspecting users to malicious websites
  • Makes it harder to trace the source of the attacks

Recently, cybersecurity analysts at Infoblox uncovered a massive domain generator and URL shortener service dubbed “Prolific Puma Service.”

Domain Generator and URL Shortener

In 2023, the $8 trillion cybercrime economy ranks third globally. Puma aids this network, crafting deceptive domain names (RDGA) for:-

  • Link shortening
  • Aiding phishing
  • Scams
  • Malware spread 

Disrupting Prolific Puma Service means hitting the criminal economy hard, as they create numerous deceptive domains and shorten links for malicious actors, hiding their actions.

Prolific Puma’s role in the cybercrime supply chain (Source – Infoblox)

This finding highlights the power of using DNS data to spot threats. Prolific Puma was tracked via DNS, showing challenges for domain authorities in controlling abuse. 

Distance from the crime can divert the takedowns, and researchers first spotted Puma domains via RDGA detection six months ago.

Prolific Puma offers covert link shortening for threat actors, and directly accessing an active SLD presents this message:-

  • {“type”: “service”,”name”:”@link-shortener/handler-service”}

Link shorteners simplify web link sharing and tackle social media size limits. When a user clicks, a DNS request resolves the shortening service’s IP, like tinyurl[.]com. 

The web request contains a hash to redirect, and additional DNS queries find the content’s IP. Legitimate users shorten links, but malicious actors may use complex redirection layers.

A notional path (Source – Infoblox)

Malicious use of link shorteners, like TinyURL, BitLy, and Google, is common for phishing. Companies should avoid popular shorteners in emails. Prolific Puma’s services remained low-key.

Investigating link shorteners is tricky, as the final landing page can’t be determined without a full URL. Detecting suspicious domains with no public presence raises questions about their usage.

Prolific Puma registered thousands of usTLD domains since May 2023, violating usTLD rules. The usTLD is known for abuse, and privacy issues persist, mainly with NameSilo as the registrar. 

Private registration in the usTLD is unauthorized but exists, and to combat DNS threats, collaboration is needed.

Threat actors show unique traits in their tactics, and Prolific Puma, a DNS threat actor, uses private registration but public usTLD domains with an email reference to the obscure song ‘October 33’ by the lesser-known band, the Black Pumas. 

They also adopt the name ‘Leila Puma,’ which alludes to the same band and adds a touch of mystery with a personal Ukrainian email.

Indicators of Activity

  • hygmi[.]com
  • yyds[.]is
  • 0cq[.]us
  • 4cu[.]us
  • regz[.]info
  • u5s[.]us
  • 1jb[.]us
  • jrbc[.]info
  • uhje[.]me
  • 0md[.]us
  • fh3[.]us
  • 0qa[.]us
  • 9jw[.]us
  • iv0[.]us
  • od9[.]us
  • rpzp[.]me
  • 8fx[.]us
  • 3vb[.]us
  • r1u[.]us
  • zost[.]link
  • 9ow[.]us
  • sf8i[.]us
  • bu9[.]us
  • ce2[.]us
  • wf6[.]us
  • v8z[.]us
  • zj4[.]us
  • rjvb[.]link
  • fssu[.]link
  • xbsf[.]link
  • wqeh[.]link
  • ymql[.]link
  • 7tz[.]us
  • w6q[.]us
  • giqj[.]me
  • u3q[.]us
  • ke0[.]us
  • v1u[.]us
  • ti7[.]us
  • 2zc[.]us
  • gf6[.]us
  • 6dr[.]us
  • 6or[.]us
  • kc0[.]us
  • 0ty[.]us
  • 6fe[.]us
  • u8n[.]us
  • d6s[.]us
  • 45[.]32[.]147[.]158
  • 62[.]3[.]15[.]55
  • 45[.]32[.]212[.]77
  • 149[.]248[.]2[.]42

Redirection and landing pages:

  • bwkd[.]me
  • ksaguna[.]com
  • asdboloa[.]com

Browser-plugin malware domains:

  • fubsdgd[.]com

Prolific Puma registration email address:

  • blackpumaoct33@ukr[.]net

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.


Latest articles

Chrome Zero-Day Vulnerability That Exploited In The Wild

Google has fixed the sixth Chrome zero-day bug that was exploited in the wild this...

Iranian Mobile Banking Malware Steal Login Credentials & Steal OTP Codes

An Android malware campaign was previously discovered that distributed banking trojans targeting four major...

BLUFFS: Six New Attacks that Break Secrecy of Bluetooth Sessions

Six novel Bluetooth attack methods have been discovered, which were named BLUFFS (Bluetooth Forward...

Google Workspace’s Design Flaw Allows Attacker Unauthorized Access

Recent years saw a surge in cloud tech adoption, highlighting the efficiency through tools...

Serial ‘SIM Swapper’ Sentenced to Eight Years in Prison

In a digital age marred by deceit, 25-year-old Amir Hossein Golshan stands as a...

Design Flaw in Domain-Wide Delegation Could Leave Google Workspace Vulnerable to Takeover – Hunters

BOSTON, MASS. and TEL AVIV, ISRAEL, November 28, 2023 - A severe design flaw...

Hackers Behind High-Profile Ransomware Attacks on 71 Countries Arrested

Hackers launched ransomware attacks to extort money from the following two entities by encrypting...
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

API Attack Simulation Webinar

Live API Attack Simulation

In the upcoming webinar, Karthik Krishnamoorthy, CTO and Vivek Gopalan, VP of Products at Indusface demonstrate how APIs could be hacked.The session will cover:an exploit of OWASP API Top 10 vulnerability, a brute force account take-over (ATO) attack on API, a DDoS attack on an API, how a WAAP could bolster security over an API gateway

Related Articles