Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: Suspicious traffic to unusual site names in the .info TLD - SANS Internet Storm Center SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
Suspicious traffic to unusual site names in the .info TLD
One of my customer's systems has been connecting to unusual sites in the .info TLD. These are site names like:

The names all seem to be 3 long but obscure English words. They all have similar registration details, in particular the same registrar and creation date.

Registry Domain ID: D503300000043619417-LRMS
Registrar WHOIS Server:
Registrar URL:
Updated Date: 2017-10-25T20:30:30Z
Creation Date: 2017-08-26T02:08:26Z
Registry Expiry Date: 2018-08-26T02:08:26Z

All resolved addresses point to blocks owned by "Hurricane Electric":

The traffic is all HTTPS encrypted.

Has anyone seen anything similar?

7 Posts

Sign Up for Free or Log In to start participating in the conversation!