Tuesday, June 18, 2024

Uncovering Prolific Puma, Massive Domain Generator & URL Shortener

Hackers can exploit Massive Domain Generator and URL Shortener services by creating large numbers of deceptive or malicious domains and using URL shorteners to hide the true destination of links. 

This can be used for the following illicit purposes:- 

  • Phishing attacks
  • Spreading malware
  • Directing unsuspecting users to malicious websites
  • Makes it harder to trace the source of the attacks

Recently, cybersecurity analysts at Infoblox uncovered a massive domain generator and URL shortener service dubbed “Prolific Puma Service.”

Domain Generator and URL Shortener

In 2023, the $8 trillion cybercrime economy ranks third globally. Puma aids this network, crafting deceptive domain names (RDGA) for:-

  • Link shortening
  • Aiding phishing
  • Scams
  • Malware spread 

Disrupting Prolific Puma Service means hitting the criminal economy hard, as they create numerous deceptive domains and shorten links for malicious actors, hiding their actions.

Prolific Puma’s role in the cybercrime supply chain (Source – Infoblox)

This finding highlights the power of using DNS data to spot threats. Prolific Puma was tracked via DNS, showing challenges for domain authorities in controlling abuse. 

Distance from the crime can divert the takedowns, and researchers first spotted Puma domains via RDGA detection six months ago.

Prolific Puma offers covert link shortening for threat actors, and directly accessing an active SLD presents this message:-

  • {“type”: “service”,”name”:”@link-shortener/handler-service”}

Link shorteners simplify web link sharing and tackle social media size limits. When a user clicks, a DNS request resolves the shortening service’s IP, like tinyurl[.]com. 

The web request contains a hash to redirect, and additional DNS queries find the content’s IP. Legitimate users shorten links, but malicious actors may use complex redirection layers.

A notional path (Source – Infoblox)

Malicious use of link shorteners, like TinyURL, BitLy, and Google, is common for phishing. Companies should avoid popular shorteners in emails. Prolific Puma’s services remained low-key.

Investigating link shorteners is tricky, as the final landing page can’t be determined without a full URL. Detecting suspicious domains with no public presence raises questions about their usage.

Prolific Puma registered thousands of usTLD domains since May 2023, violating usTLD rules. The usTLD is known for abuse, and privacy issues persist, mainly with NameSilo as the registrar. 

Private registration in the usTLD is unauthorized but exists, and to combat DNS threats, collaboration is needed.

Threat actors show unique traits in their tactics, and Prolific Puma, a DNS threat actor, uses private registration but public usTLD domains with an email reference to the obscure song ‘October 33’ by the lesser-known band, the Black Pumas. 

They also adopt the name ‘Leila Puma,’ which alludes to the same band and adds a touch of mystery with a personal Ukrainian email.

Indicators of Activity

  • hygmi[.]com
  • yyds[.]is
  • 0cq[.]us
  • 4cu[.]us
  • regz[.]info
  • u5s[.]us
  • 1jb[.]us
  • jrbc[.]info
  • uhje[.]me
  • 0md[.]us
  • fh3[.]us
  • 0qa[.]us
  • 9jw[.]us
  • iv0[.]us
  • od9[.]us
  • rpzp[.]me
  • 8fx[.]us
  • 3vb[.]us
  • r1u[.]us
  • zost[.]link
  • 9ow[.]us
  • sf8i[.]us
  • bu9[.]us
  • ce2[.]us
  • wf6[.]us
  • v8z[.]us
  • zj4[.]us
  • rjvb[.]link
  • fssu[.]link
  • xbsf[.]link
  • wqeh[.]link
  • ymql[.]link
  • 7tz[.]us
  • w6q[.]us
  • giqj[.]me
  • u3q[.]us
  • ke0[.]us
  • v1u[.]us
  • ti7[.]us
  • 2zc[.]us
  • gf6[.]us
  • 6dr[.]us
  • 6or[.]us
  • kc0[.]us
  • 0ty[.]us
  • styi.info
  • 6fe[.]us
  • u8n[.]us
  • d6s[.]us
  • 45[.]32[.]147[.]158
  • 62[.]3[.]15[.]55
  • 45[.]32[.]212[.]77
  • 149[.]248[.]2[.]42

Redirection and landing pages:

  • bwkd[.]me
  • ksaguna[.]com
  • asdboloa[.]com
  • game.co[.]za

Browser-plugin malware domains:

  • fubsdgd[.]com

Prolific Puma registration email address:

  • blackpumaoct33@ukr[.]net

Protect yourself from vulnerabilities using Patch Manager Plus to patch over 850 third-party applications quickly. Try a free trial to ensure 100% security.

Website

Latest articles

Singapore Police Arrested Two Individuals Involved in Hacking Android Devices

The Singapore Police Force (SPF) has arrested two men, aged 26 and 47, for...

CISA Conducts First-Ever Tabletop Exercise Focused on AI Cyber Incident Response

On June 13, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) made history by...

Europol Taken Down 13 Websites Linked to Terrorist Operations

Europol and law enforcement agencies from ten countries have taken down 13 websites linked...

New ARM ‘TIKTAG’ Attack Impacts Google Chrome, Linux Systems

Memory corruption lets attackers hijack control flow, execute code, elevate privileges, and leak data.ARM's...

Operation Celestial Force Employing Android And Windows Malware To Attack Indian Users

A Pakistani threat actor group, Cosmic Leopard, has been conducting a multi-year cyber espionage...

Hunt3r Kill3rs Group claims they Infiltrated Schneider Electric Systems in Germany

The notorious cybercriminal group Hunt3r Kill3rs has claimed responsibility for infiltrating Schneider Electric's systems...

Hackers Employing New Techniques To Attack Docker API

Attackers behind Spinning YARN launched a new cryptojacking campaign targeting publicly exposed Docker Engine...
Balaji
Balaji
BALAJI is an Ex-Security Researcher (Threat Research Labs) at Comodo Cybersecurity. Editor-in-Chief & Co-Founder - Cyber Security News & GBHackers On Security.

Free Webinar

API Vulnerability Scanning

71% of the internet traffic comes from APIs so APIs have become soft targets for hackers.Securing APIs is a simple workflow provided you find API specific vulnerabilities and protect them.In the upcoming webinar, join Vivek Gopalan, VP of Products at Indusface as he takes you through the fundamentals of API vulnerability scanning..
Key takeaways include:

  • Scan API endpoints for OWASP API Top 10 vulnerabilities
  • Perform API penetration testing for business logic vulnerabilities
  • Prioritize the most critical vulnerabilities with AcuRisQ
  • Workflow automation for this entire process

Related Articles