Forum Discussion

ragnar667's avatar
ragnar667
Copper Contributor
Sep 29, 2021

Communication with suspicious random domain name (Preview)

Hi All

 

So we are seeing multiple alerts via Azure Security Centre for the following

 

Communication with suspicious random domain name (Preview)

 

The alerts show that various assets connected to our domain are querying via our DNS server various nefarious looking domain names such as 25jimj.qgxouyclggk.com and 3dde4b.zbrjtstrclnm.com

 

In all of these cases we can see that the asset has connected to various IP addresses that are registered to amazon. We seee multiple hits to amazon and then we see hits to these random domains.

 

The alert points us to the following 

 

https://interflowwebportalext.trafficmanager.net/reports/DisplayReport?callerIdentity=ddd5443d-e6f4-441c-b52b-5278d2f21dfa&reportCreateDateTime=2021-07-07T08%3a33%3a40&reportName=MSTI-TS-DNS-Changer.pdf&tenantId=c4a31167-4b24-47e3-a4b4-93d92097a1e3&urlCreateDateTime=2021-07-07T08%3a33%3a40&token=6WEIykYGq3uD81RbTof8TYiRqAqA91erSiZwWuAM0l0=

 

We run virus scans on these machines and no malware or issues are being reported.

 

This alert is in preview so very little online about the alert itself. 

 

Does anyone on here know much about this alert? 

 

How concerned should we be?

 

These assets themselves are onboarded onto Defender but this activity does not trigger any alert.

 

 

  • Tun33elrt's avatar
    Tun33elrt
    Copper Contributor

    Hey ragnar667 

     

    FYI, the SOA (start of authority) on the DNS record for zbrjtstrclnm.com points to zoneadmin.tonic.com.

     

    Tonic.com is a pay-per-click style advertising company and the domain is likely related to their traffic.

     

    Thanks

    • RichardH01's avatar
      RichardH01
      Copper Contributor
      To continue this journey, I concur with Tun33elrt as I got a similar result, but used a different process.
      1. My random site is 6867bb.shcxjdwfblvm.com
      2. Wheregoes.com shows a 307 temporary redirection to unsold-cars-93562.com
      3. I tried the mxToolbox SOA tool, but it doesn't show zoneadmin.tonic.com
      4. Entering "unsold-cars-93562.com" at bgp.he.net, I eventually got the zoneadmin.tonic.com mname record

      Hope this helps
    • RichardH01's avatar
      RichardH01
      Copper Contributor

      We received a Sentinel alert for this URL: 6c3140.bwtjgtbsgvqqwg.com
      When searching through our proxy logs, the full URL ended up being:

      hxxp://6c3140.bwtjgtbsgvqqwg.com/?subid1=21477459&subid2=3573470005&subid3=1243549---delimjuwe---sevenwestmedia-perthnow&subid4=taboola-GiB2UOqOvlnWOKVbRBPFc7raGEbeQ83ZYqNnmIQY_wDR-yCWt1sokI-hip-FupLnAQ&network=taboola&site=sevenwestmedia-perthnow&adtitle=Unsold+Womans+Shoes+Almost+Being+Given+Away&click_id=GiB2UOqOvlnWOKVbRBPFc7raGEbeQ83ZYqNnmIQY_wDR-yCWt1sokI-hip-FupLnAQ&dpco=1&tblci=GiB2UOqOvlnWOKVbRBPFc7raGEbeQ83ZYqNnmIQY_wDR-yCWt1sokI-hip-FupLnAQ 

      Looking at some of the keywords, Perthnow is a local news website operated by a tabloid newspaper. Taboola is a public advertising company. Therefore, I believe these alerts are less about DNS assistance, and more web based advertising as highlighted by Tun33elrt

      • sshockleyarascom's avatar
        sshockleyarascom
        Copper Contributor

        RichardH01 I think the advertisers are using randomized domain names for the same reason the malware was: to make it harder to block the traffic.

Resources