Table of Contents
Short and simple
This discusses how I plan to use DNS.Coffee to drive research. You can find suspicious domains, and then pivot on that to find more suspicious domains.
Before continuing
THE CONTENT, VIEWS, AND OPINIONS EXPRESSED ON THIS DOCUMENT ARE MY OWN AND DO NOT REFLECT THOSE OF MY EMPLOYER OR ANY AFFILIATED ORGANIZATIONS. ALL RESEARCH, ANALYSIS, AND WRITING ARE CONDUCTED ON MY PERSONAL TIME AND USING MY OWN PERSONALLY-ACQUIRED RESOURCES. ANY REFERENCES, TOOLS, OR SOFTWARE MENTIONED HERE ARE LIKEWISE USED INDEPENDENTLY AND ARE NOT ASSOCIATED WITH, ENDORSED, OR FUNDED BY MY EMPLOYER.
Background
This was inspired by Chris Duggan’s post here: https://x.com/TLP_R3D/status/1845446668549775372. He shows how to monitor threat actor infrastructure by monitoring new registered domains by the name server in DNS.Coffee.
Doing it
I didn’t fully follow his instructions. I started, and then got distracted, and I didn’t finish it, but I think it’s still pretty cool. I started here from a search on previous research:
https://dns.coffee/domains/shopmyexchenge.com
I picked the most recent name server (before cloudflare) as seen here:
Clicking that takes you here:
https://dns.coffee/nameservers/ns1.eranet-dns.com
I just skimmed the limited list of Current Domains. The snip below shows the head of the list.
There’s a bunch of DGA domains. It’s fairly simple to identify the obvious masquerade domains because they’ll include parts of legitimate applications, with suspicious additions to the app name. For example, in the snip above, “telegram-accounts” and “telegramaccount” are what I consider to be obvious masquerades.
That’s it – that’s all I did. I just skimmed it and compiled a list of domains that I think will be used in future attacks. See the IoFAs section for the full list. At some point in the near future I will follow all of the steps Chris Duggan listed in his post here: https://x.com/TLP_R3D/status/1845446668549775372. SUPER COOL!
Silent Push Domain Impersonation
I was curious if the domains listed in dns.coffee would be listed in the Silent Push Domain Impersonation search results. One thing that is cool is that there were many other domains listed as seen in the snip below. For the search below, I used the legitimate “csfloat.com” domain in the Domain Impersonation search. For context – csfloat.com is a market place to buy and sell Counter-Strike skins and stuff.
https://explore.silentpush.com/explore/domain-impersonation?domain=csfloat.com
I checked to see if any of the “-csfloat” domains from dns.coffee – they were not, but there were some other domains that weren’t in the dns.coffee list such as web-csfloat[.]com, en-csfloat[.]com, and us-csfloat[.]com as seen in the snips below. Awesome!
Are they IoFAs or IoCs?
I skimmed through a bunch of the domains. When I search for some of them in urlscan, it doesn’t return any results. When I try to scan those domains, it fails because urlscan throws a DNS error. On other domains, there are scan results from six or more months ago. When I try to scan those domains, they also no longer resolve. Also, some domains are parked. Because of the mismatch of results, and because there isn’t any strong underlying analysis – I’m just calling these suspicious domains instead of IoFAs or IoCs.
Consideration for future workflows
This portion is just kind of a mental note for myself. I think as I’m building up my list of threats that I want to track, I could follow Chris Duggan’s steps to extract the new domains from dns.coffee, analyze them, and use Silent Push’s Domain Impersonation search to find additional IoCs/IoFAs. I don’t think I ever would’ve been able to just come up with the idea of monitoring or searching for sites that are masquerading as a site meant for purchasing Counter Strike Skins. That is especially so if it wasn’t in CTI that someone published. This will be awesome.
Summary
This discusses taking steps learned from Chris Duggan (@TLP_R3D) to monitor for new threat actor domains based on the name server. A quick skim of the current domains can be used to find domains that are likely masquerading domains that may be used in a future attack. After finding the masquerading domains from DNC.Coffee, you can take the real domain, and use that to perform a Silent Push Domain Impersonation search – this will help expand the list for other domains.
Suspicious Domains (from DNS.Coffee)
cs-float[.]net
de-csfloat[.]com
us-dmarket[.]net
ww-csfloat[.]com
ww-dmarket[.]com
ww-skinport[.]com
wwskinport[.]com
telegram-accounts[.]com
telegramaccount[.]com
dexscrecner[.]com
duxscreener[.]com
us-dexscreener[.]com
us-itrustcapital[.]net
app-itrustcapital[.]com
itrustcapitallogin[.]com
logn-itrustcapital[.]com
sso-itrustcapital[.]com
usa-logi-itrustcapital[.]com
Suspicious Domains from Silent Push
csfloat[.]link
67[.]csfloat[.]link
2b[.]csfloat[.]link
www[.]lavdemo[.]cssfloat[.]net
94[.]csfloat[.]link
87[.]csfloat[.]link
csfloat[.]co
csfloat[.]co[.]nz
64[.]csfloat[.]link
sitemap[.]csfloat[.]link
de[.]csfloat[.]link
3d[.]csfloat[.]link
9e[.]csfloat[.]link
21[.]csfloat[.]link
37[.]csfloat[.]link
www[.]a4[.]csfloat[.]link
10[.]csfloat[.]link
us-csfloat[.]com
f6[.]csfloat[.]link
4b[.]csfloat[.]link
c2[.]csfloat[.]link
csfloat[.]app
59[.]csfloat[.]link
www[.]www[.]8f[.]csfloat[.]link
www[.]pwa[.]cssfloat[.]net
f0[.]csfloat[.]link
42[.]csfloat[.]link
csfloats[.]pro[.]offshores9900feeee[.]com
86[.]csfloat[.]link
a6[.]csfloat[.]link
91[.]csfloat[.]link
www[.]c5[.]csfloat[.]link
csfloat[.]it[.]com
e1[.]csfloat[.]link
www[.]lavtext[.]cssfloat[.]net
www[.]mern[.]cssfloat[.]net
a8[.]csfloat[.]link
www[.]cloud[.]cssfloat[.]net
www[.]demo81[.]cssfloat[.]net
www[.]nest[.]cssfloat[.]net
5b[.]csfloat[.]link
34[.]csfloat[.]link
ac[.]csfloat[.]link
6f[.]csfloat[.]link
www[.]www[.]csfloat[.]eu
ba[.]csfloat[.]link
48[.]csfloat[.]link
e6[.]csfloat[.]link
40[.]csfloat[.]link
web-csfloat[.]com
www[.]csfloat[.]steamservice[.]ge
5d[.]csfloat[.]link
61[.]csfloat[.]link
7d[.]csfloat[.]link
18[.]csfloat[.]link
www[.]00[.]csfloat[.]link
1d[.]csfloat[.]link
csfloat[.]ws
www[.]8f[.]csfloat[.]link
bc[.]csfloat[.]link
www[.]csfloat[.]co[.]nz
4d[.]csfloat[.]link
www[.]e7[.]csfloat[.]link
8d[.]csfloat[.]link
3c[.]csfloat[.]link
www[.]csfloat[.]mx
www[.]us[.]cssfloat[.]net
www[.]demo74[.]cssfloat[.]net
b0[.]csfloat[.]link
www[.]dvg[.]cssfloat[.]net
www[.]alchmi[.]cssfloat[.]net
www[.]csfloat[.]online[.]offshores9900feeee[.]com
1f[.]csfloat[.]link
en-csfloat[.]com
1b[.]csfloat[.]link
cc[.]csfloat[.]link
cf[.]csfloat[.]link
44[.]csfloat[.]link
7a[.]csfloat[.]link
9a[.]csfloat[.]link
e3[.]csfloat[.]link
9f[.]csfloat[.]link
49[.]csfloat[.]link
14[.]csfloat[.]link
f7[.]csfloat[.]link
33[.]csfloat[.]link
b6[.]csfloat[.]link
a2[.]csfloat[.]link
2d[.]csfloat[.]link
ad[.]csfloat[.]link
f5[.]csfloat[.]link
41[.]csfloat[.]link
www[.]stickynotes[.]cssfloat[.]net
www[.]csfloatonline[.]org
e0[.]csfloat[.]link
19[.]csfloat[.]link
ed[.]csfloat[.]link
02[.]csfloat[.]link
07[.]csfloat[.]link
63[.]csfloat[.]link
23[.]csfloat[.]link
c9[.]csfloat[.]link
96[.]csfloat[.]link
csfloatr[.]com
f1[.]csfloat[.]link
e2[.]csfloat[.]link
09[.]csfloat[.]link
b8[.]csfloat[.]link
www[.]csfloat[.]de
32[.]csfloat[.]link
72[.]csfloat[.]link
47[.]csfloat[.]link
a3[.]csfloat[.]link
0d[.]csfloat[.]link
65[.]csfloat[.]link
2e[.]csfloat[.]link
99[.]csfloat[.]link
76[.]csfloat[.]link
c0[.]csfloat[.]link
04[.]csfloat[.]link
75[.]csfloat[.]link
95[.]csfloat[.]link
77[.]csfloat[.]link
xn--sflt-73d7fra[.]xn--msrh-63d3a4dxag9172ega[.]csfloatonline[.]org
15[.]csfloat[.]link
www[.]csfloat[.]link
17[.]csfloat[.]link
1e[.]csfloat[.]link
5a[.]csfloat[.]link
56[.]csfloat[.]link
5f[.]csfloat[.]link
25[.]csfloat[.]link
4e[.]csfloat[.]link
53[.]csfloat[.]link
b5[.]csfloat[.]link
db[.]csfloat[.]link
82[.]csfloat[.]link
6a[.]csfloat[.]link
b2[.]csfloat[.]link
92[.]csfloat[.]link
e5[.]csfloat[.]link
www[.]card[.]cssfloat[.]net
52[.]csfloat[.]link
www[.]test[.]cssfloat[.]net
73[.]csfloat[.]link
7b[.]csfloat[.]link
03[.]csfloat[.]link
08[.]csfloat[.]link
c4[.]csfloat[.]link
13[.]csfloat[.]link
8a[.]csfloat[.]link
www[.]demo[.]cssfloat[.]net
a9[.]csfloat[.]link
2c[.]csfloat[.]link
28[.]csfloat[.]link
d4[.]csfloat[.]link
www[.]f1[.]csfloat[.]link
csfloatonline[.]org
38[.]csfloat[.]link
05[.]csfloat[.]link