Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: testgvbgjbhjb.com SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms: https://isctv.sans.edu

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
testgvbgjbhjb.com
Greetings,
Does anyone have information that can be shared related to domain testgvbgjbhjb.com? I'm seeing a large no. of hosts which looks like local loop back [127.0.0.1] attempting to create a socket with domain testgvbgjbhjb.com. Appears to be high tcp dynamic no. and various processes such as svchost, chrome, etc...

Regards.
Bill

9 Posts
Looks like the domain used to point to a few different IP addresses:
96.17.234.251 shows up in some hybrid analysis reports. But that IP is an Akamai IP and also used for services like Windows Update. So it is not malicious. It could be a "connectivity check" for the malware (maybe this is why it starts with "test" ?). There is one hybrid analysis report that appears to link that domain to the Cerber Ransomware (But back from around new year?).

I would certainly investigate further.
Johannes

3796 Posts
ISC Handler
Interesting txt history...

Date Value(s)
2019-12-31 There is no intent on making this domain functional at this point. If it best suits your environment just block the domain at your Web filter.
Subtle DNS requests were being sent from various devices to the domain with no explanation.
If you find suspicious DNS activity to this domain in your network the persons managing the domain also found the same.
2020-01-04 v=spf1 -all
If you are trying to find out what this domain is for review HTML code on hxxp:// or hxxps://testnjjhb[.]com.
2020-01-05 If you are trying to find out what this domain is for review HTML code on hxxp:// or hxxps://testnjjhb[.]com.
2020-01-12 The owner of this domain does not know why your machine is reaching out to it. Owner saw suspicious traffic in multiple networks and bought it.
2020-01-18 v=spf1 -all
The owner of this domain does not know why your machine is reaching out to it. Owner saw suspicious traffic in multiple networks and bought it.



Source: https://securitytrails.com/domain/testgvbgjbhjb.com/history/txt
Anonymous

-
Bill - I can't explain with 100% certainty why your devices are reaching out to the domain, but the below should help answer your question.

testgvbgjbhjb.com and testnjjhb.com are both associated with each other. Saw these being queried back-to-back in a handful of networks in Dec 2019 and surprisingly neither were registered so I bought them. At this point my guess is they were going to be used for malvertising, but still unsure.

Essentially here's what seems to happen, and not every time do both domains get queried:

1. DNS query to testnjjhb.com [root record]
2. DNS query to testgvbgjbhjb.com [root record]
3. tcp/443 GET hits the Web server.
4. Nothing further.

IPs have periodically changed as some cloud infrastructure was set up to gauge the volume of traffic. Traffic is sourced from Windows, MacOSX, iPhone, Android, etc.... All the referrer URLs appear to be valid, but most are heavy ad sites. These findings are where malvertising seemed to be a reasonable conclusion. Infrastructure was getting costly on a personal pocket book for a research project so records were changed to 127.0.0.1. Interesting TXT records as referenced by a few Websites were to keep people from filing abuse reports and to keep others from potentially wasting a lot of time trying to determine a fix. A bit of an honor system with the TXT record, but only one abuse report came in. Had looked at putting an ad on the page to cover infrastructure cost, which is why you may do online research and find evidence of an ad campaign on the domains. It ultimately didn't work and that has been removed.

Just today A records changed again. I wanted to test an IDS solution by exposing a few ports on a server. It will go back to a loopback 127.0.0.1 in a few days. I'm open to connecting with a reputable org if someone legitimately would want to dig into this further and see the traffic. For now I own the domains and plan to keep traffic sinkholed or used for testing various cloud services until the DNS queries and https requests drop to zero.
Anonymous

-
Bill - testgvbgjbhjb.com is associated with testnjjhb.com. I personally own them. I happened to be looking at DNS queries this week and realized they've had high volume of requests even over the last few months. After a quick Google search to see if others had researched I ran across this SANS thread. See below timeline to try and help answer your questions.


-Mid-December 2019 traffic was seen. WHOIS showed no registration. Saw a good amount of DNS lookups from various networks and was curious. On one hand, if there was a botnet starting I didn't want to be registered to the domain. On the other, I could register the domain and sinkhole potential botnet.
-Jan 1, 2020 - Registered both domains and set up infrastructure in the cloud for monitoring.
-Within 2 hours of getting an A record on the root of each zone there were 20,000 unique IPs hitting the Web servers. It was all tcp/443. Bought a cert issued from a public CA and bound to the Web servers. Was able to see referrer URLs, browsers, etc... Needed a session key so couldn't decrypt all contents from the Web server.
-Set TXT records in case someone filed an abuse case. I figured it would happen at some point. I've seen some comments about all the TXT records.
-At one point within the next couple of weeks there were 16 Million tcp/443 packets to the Web servers in 24-hour periods.
-Tried testing an ad service to pay for the infrastructure used. Wasn't worth it so it was removed.
-Infrastructure cost wasn't worth doing more research. Changed A records to 127.0.0.1 and moved on.
-Late March 2020 about ~550k DNS queries / day. Changed from loopback to some EC2 instances I manage. This is more for learning AWS services and cloud-based SIEM / NIDS solutions.

Conclusion at this point is some kind of malvertising campaign that wasn't successful. Windows, OSX, Android, iOS - These all send tcp/443 traffic, and appear to have been GET requests for the root page. Referrer URLs are somewhat consistent. All are heavily loaded with ads. Only one I didn't see many ads was zulily.com. Quite a few people from hitting these domains from Zulily. 8A to 5P is normal business hours throughout the globe I would think. When looking at graphs for DNS usage it looks like majority of day-time traffic is coming from the same timezone as the London area.

Hope this is helpful. For now I plan to keep the domains unless the counts drop drastically. Open to collaborating with someone who's affiliated with a legitimate cyber research group. Not knowing what these domains were intended for I've intentionally held anonymity.
Anonymous

-
Thanks for the responses. Blocking the domain with proxy but missing a lot of mobile users.....split tunneling ;-( Bill

9 Posts

Sign Up for Free or Log In to start participating in the conversation!