Researchers at Unit 42, Palo Alto’s threat intelligence team, have found threat actors increasingly using a technique known as domain shadowing to facilitate the hosting of malicious web pages. Between April and June of this year, around 12,197 cases of domain shadowing were discovered, detailing a marked uptick in this technique being used.
Domain shadowing is a type of DNS hijacking that occurs when threat actors compromise the DNS of a legitimate domain and make their own subdomains to use for malicious activity. The threat actors do not modify the legitimate DNS entries that already exist, however, instead opting to utilize the domain in such a way that won’t alert the owners to the compromise. Threat actors use these malicious subdomains to host C2 addresses, phishing sites, and malware-dropping sites. Since the root domain of these requests are legitimate sources, this allows threat actors to bypass security checks by abusing the good reputation of the hijacked domain. Likewise, since the domain is otherwise reputable, users are more likely to access or submit data to one of these hijacked domains, as the URL appears trustworthy.
Domain shadowing can be difficult to detect without the ability to analyze DNS logs across a large number of organizations, making this tactic alluring for threat actors.