Age is rarely an issue when it comes to malware campaigns, and that’s certainly true for WebAttacker. WebAttacker is a do-it-yourself (DIY) malware creation kit that became popular back in 2006. It was the first exploit kit made available to cybercriminals in the Russian underground market for as little as US$20.
While you may think it’s no longer active, our research could suggest otherwise. An in-depth look at three email addresses belonging to the WebAttacker operators revealed these findings.
- Close to 350 domains were registered using email addresses identified as indicators of compromise (IoCs).
- The domains registered with the email addresses were created between 2011 and 2022.
- The domains resolved to more than 130 IP addresses.
- The IP addresses were spread out across more than a dozen countries.
A sample of the additional artifacts obtained from our analysis is available for download from our website.
Old but Potentially Not Dead
We began the investigation by using the email addresses belonging to the WebAttacker operators as reverse WHOIS search strings. That led to the discovery of 346 domains registered between 2011 and 2022, at least five years after the exploit kit was made available in cybercriminal underground markets. The domain registration peaked in 2021.
Several of the domains look as if they were randomly generated, such as:
A few of them also led to what look to be business sites, specifically rental web pages, based on screenshot lookups.
A bulk Threat Intelligence Platform (TIP) malware check, however, showed that only one domain—ddgcc[.]com—was tagged “malicious” by various malware engines. This web property is currently up for sale, so users looking for a domain for their businesses may want to be wary.
DNS lookups for the domains showed that they resolved to 135 IP addresses spread out over a dozen countries. A majority of them were geolocated in the U.S., followed by China, Canada, Germany, Japan, and South Africa.
Interestingly, while only one domain was dubbed “malicious,” 12 of the IP…