Communication with suspicious random domain name (Preview)

Hi All So we are seeing multiple alerts via Azure Security Centre for the following Communication with suspicious random domain name (Preview) The alerts show that various assets connecte...

Tun33elrt

Copper Contributor

Jan 05, 2022

Hey ragnar667

FYI, the SOA (start of authority) on the DNS record for zbrjtstrclnm.com points to zoneadmin.tonic.com.

Tonic.com is a pay-per-click style advertising company and the domain is likely related to their traffic.

Thanks

RichardH01

Copper Contributor

Oct 21, 2022

We received a Sentinel alert for this URL: 6c3140.bwtjgtbsgvqqwg.com
When searching through our proxy logs, the full URL ended up being:

hxxp://6c3140.bwtjgtbsgvqqwg.com/?subid1=21477459&subid2=3573470005&subid3=1243549---delimjuwe---sevenwestmedia-perthnow&subid4=taboola-GiB2UOqOvlnWOKVbRBPFc7raGEbeQ83ZYqNnmIQY_wDR-yCWt1sokI-hip-FupLnAQ&network=taboola&site=sevenwestmedia-perthnow&adtitle=Unsold+Womans+Shoes+Almost+Being+Given+Away&click_id=GiB2UOqOvlnWOKVbRBPFc7raGEbeQ83ZYqNnmIQY_wDR-yCWt1sokI-hip-FupLnAQ&dpco=1&tblci=GiB2UOqOvlnWOKVbRBPFc7raGEbeQ83ZYqNnmIQY_wDR-yCWt1sokI-hip-FupLnAQ

Looking at some of the keywords, Perthnow is a local news website operated by a tabloid newspaper. Taboola is a public advertising company. Therefore, I believe these alerts are less about DNS assistance, and more web based advertising as highlighted by Tun33elrt

sshockleyarascom
Copper Contributor
Oct 21, 2022
RichardH01 I think the advertisers are using randomized domain names for the same reason the malware was: to make it harder to block the traffic.

Forum Discussion

Communication with suspicious random domain name (Preview)

Resources