AT&T Alien Labs has observed the Mirai variant botnet, known as Moobot, scanning for known but uncommon vulnerabilities in Tenda routers, resulting in a considerable peak in our internal telemetry. The research associated with this peak resulted in the discovery of a malware hosting domain, providing several different Mirai variants, like Moobot and Satori.
.... When cyberium[.]cc domain was investigated, several campaigns were identified, going back at least one year to May 2020. Most of the attacks lasted for approximately a week while they hosted several Mirai variants, after which they left the subdomain unresolvable. However, this seems to be the behavior of the threat actor in between operations. The actors appear to come back to the same domain with a new subdomain for each new campaign. Activity in between campaigns goes quiet to increase the trust of the original domain. Keeping a long-running existing domain while issuing brand new one domain helps to divert attention to the new domain and thus distract from the original.
The full list of subdomains/campaigns identified from this domain is:
(* 1 of many things to look before buying dropped domain names)
.... When cyberium[.]cc domain was investigated, several campaigns were identified, going back at least one year to May 2020. Most of the attacks lasted for approximately a week while they hosted several Mirai variants, after which they left the subdomain unresolvable. However, this seems to be the behavior of the threat actor in between operations. The actors appear to come back to the same domain with a new subdomain for each new campaign. Activity in between campaigns goes quiet to increase the trust of the original domain. Keeping a long-running existing domain while issuing brand new one domain helps to divert attention to the new domain and thus distract from the original.
The full list of subdomains/campaigns identified from this domain is:
- cyberium[.]cc: Around May 2020
- U.cyberium[.]cc: Around May 2020
- Gcc.cyberium[.]cc: Around June 2020
- Park.cyberium[.]cc: Around July 2020
- Hoon.cyberium[.]cc: Around July 2020
- Hh.cyberium[.]cc: Around September 2020
- Wo.cyberium[.]cc: Around October 2020
- Y.cyberium[.]cc: Around October 2020
- W.cyberium[.]cc: Around November 2020
- Ns.cyberium[.]cc: Around November 2020
- Tmp.cyberium[.]cc: Around December 2020
- Ftp.cyberium[.]cc: Around March 2021
- Dns.cyberium[.]cc: Around April 2021
- Ddns.cyberium[.]cc: Around April 2021
- Park.allcheesedout[.]cc: around September 2020
- Ratatouille.allcheesedout[.]cc: around September 2020
- Watchdog.allcheesedout[.]cc: around September 2020
- Bot.bigbots[.]cc: around February 2021
- Cnc.bigbots[.]cc: around February 2021
- Cnc1.bigbots[.]cc: around February 2021
- Cnc.fewbots[.]cc: created and up since February 2021
- Bot.fewbots[.]cc: created and up since February 2021
- Cnc.hardbotz[.]cc: created and up since March 2021
- Projectaliennet[.]cc: created and up since March 2021
- Life.zerobytes[.]cc: created on May 2021
- Registrar: Namecheap.
- Top level domain: CC.
- All of them served Mirai variants.
(* 1 of many things to look before buying dropped domain names)