In last week’s article we covered Freenom domains and how they are used in Digital Ocean snowshoe spam campaigns. Let’s see what kind of activity has been coming from Digital Ocean over the past week. While not a Freenom TLD, this time we’ve also included .xyz domains in the data set for those researchers who have expressed interest.
Aug14 18.104.22.168 x2 rdns0.ressua.xyz 22.214.171.124 x2 mail.thebehringtools.xyz 126.96.36.199 x1 box.cmail.xyz Aug15 188.8.131.52 x1 marketpress.xyz 184.108.40.206 x2 buntydeals.xyz Aug17 220.127.116.11 x1 mx13.camouflage84259.xyz 18.104.22.168 x5 xv20.zazomika.cf 22.214.171.124 x1 mail.marketvaluerates.xyz 126.96.36.199 x10 box.canopusvietnam.xyz 188.8.131.52 x28 xv20.524.pinotvineryms.cf 184.108.40.206 x1 rdns0.pertsd.xyz Aug18 220.127.116.11 x11 swn0.pinotvineryms.ga 18.104.22.168 x11 rdns0.unnsa.xyz 22.214.171.124 x2 srv0.bulkemails123.tk 126.96.36.199 x14 box.alphadaero.xyz 188.8.131.52 x2 swn0.pinotvineryms.ml 184.108.40.206 x1 box.bufferty.xyz 220.127.116.11 x2 designopro.xyz 18.104.22.168 x2 rdns0.proods.xyz 22.214.171.124 x2 swn0.zazomika.ga Aug19 126.96.36.199 x1 mailer.strongf.xyz 188.8.131.52 x3 rdns0.hyunn.xyz Aug20 184.108.40.206 x2 iux0.strinoemenker.tk 220.127.116.11 x36 iux0.miditruni.cf 18.104.22.168 x5 rdns0.iggds.xyz
So, what more can be said about this activity other than it is garbage, easily preventable, and (disappointingly) not being dealt with? Let’s dig deeper and check out what kind of spam is being sent.
The above case is purely a malicious email, pretending to be an interested buyer and trying to get you to download and execute the attached file. This attached file is identified as the malware ‘AgentTesla’, a keylogger and RAT (Remote Access Trojan) with the ability to exfiltrate data into the hands of a bad actor.
You might think it is quite obviously spam, and that you’d never fall for it. However, sometimes that is the point. Spammers find success targeting the most gullible people, the ‘low hanging fruit’ if you will. It’s frustrating that large providers allow their networks to be abused like this, with no repercussions to their lack of action.
Whom does the onus belong to when it comes to malicious activity occurring? Should the end users, the victims that this spam targets, simply educate themselves and purchase better anti-spam and anti-malware tools? Should we wait for the Spammers to discover the error of their ways and turn to a new light? Or should the network providers, the ones that can most easily detect and deal with the problem, be responsible for their non-efforts when it comes to cleaning up the obvious abuse of their services?
Sure, reporting to abuse contacts is good when it works, but too much of the time it is ‘bandage’ fixes and not systematic changes to prevent future abuse. As mentioned, we’ve been seeing this pattern for years, and it isn’t stopping. Malware, phishing, and spammy marketing continue to pour out of this network.