A network map showing multiple domains interconnected by arrows, resolving to the same IP address, 45[.]61.136.67, with a cyber threat theme.Depiction of multiple domains, such as pushcg[.]com and pemalite[.]com, resolving to the same IP address, 45[.]61.136.67, indicating new behavior observed in LandUpdate808 operations.

Summary Up Front

The LandUpdate808 actors have multiple domains responding to the same IP – and they all respond to the same endpoint used for the first stage of the LandUpdate808 delivery chain. This is a new behavior, and I’m wondering if that means they will be ramping up their activities.

Before Continuing

THE CONTENT, VIEWS, AND OPINIONS EXPRESSED ON THIS DOCUMENT ARE MY OWN AND DO NOT REFLECT THOSE OF MY EMPLOYER OR ANY AFFILIATED ORGANIZATIONS. ALL RESEARCH, ANALYSIS, AND WRITING ARE CONDUCTED ON MY PERSONAL TIME AND USING MY OWN PERSONALLY-ACQUIRED RESOURCES. ANY REFERENCES, TOOLS, OR SOFTWARE MENTIONED HERE ARE LIKEWISE USED INDEPENDENTLY AND ARE NOT ASSOCIATED WITH, ENDORSED, OR FUNDED BY MY EMPLOYER.

Why I Started Looking Into This

I saw Jacob posted an update here: https://infosec.exchange/@cyberamateur/113284458007844121.

I checked Proofpoint’s ET rules they added the domain on 07 OCT 24 as seen here: https://community.emergingthreats.net/t/ruleset-update-summary-2024-10-07-v10715/2033. Not sure how I missed it.

Why I Checked PADNS

When I was researching SmartApeSG, I noticed they would have more than one domain resolve to the same IP, and both domains would respond to the same endpoints. I had previously been monitoring for this, but the LandUpdate808 operators weren’t seen doing this yet.

I checked the resolution for pushcg[.]com, then I checked the PADNS for 45[.]61.136.67 and observed multiple other domains.

For each domain, I checked if they have the same endpoints via a Live Scan in Silent Push as seen in the snips below.

The snip below shows that pemalite[.]com responds to requests for the web-analyzer.js endpoint.

The snip below shows that piedsmontlaw[.]com responds to requests for the web-analyzer.js endpoint.

The snip below shows that howmanychairs[.]com responds to requests for the web-analyzer.js endpoint.

I found vpn289280989[.]v4.softether.net on Validin, but scanned it in Silent Push.

The snip below shows that vpn289280989[.]v4.softether.net responds to requests for the web-analyzer.js endpoint.

That’s it! Just a simple pivot from one domain to additional domains by checking the PADNS results for the IP.

Why Does This Matter?

Previously, the LandUpdate808 actors would use a domain that was the only domain that resolved to a given IP. Now, there are multiple domains replying to the same IP. Not only that, all of the domains on the IP respond to the same endpoint (/web-analyzer.js). This behavior is similar to what I’ve observed with SmartApeSG. This makes me wonder if the threat actors are planning to increase their activity. I look forward to monitoring to find out!

Summary

The LandUpdate808 actors have multiple domains responding to the same IP – and they all respond to the same endpoint used for the first stage of the LandUpdate808 delivery chain. This is a new behavior, and I’m wondering if that means they will be ramping up their operations.

Indicators

45[.]61.136.67

pushcg[.]com

pemalite[.]com

piedsmontlaw[.]com

howmanychairs[.]com

vpn289280989[.]v4.softether.net

https[:]//pushcg[.]com/web-analyzer.js

https[:]//pemalite[.]com/web-analyzer.js

https[:]//piedsmontlaw[.]com/web-analyzer.js

https[:]//howmanychairs[.]com/web-analyzer.js

https[:]//vpn289280989[.]v4.softether.net/web-analyzer.js