Netlab 360 has discovered a suspicious GoELFsample, which is a downloader used mostly to propagate mining malware. The fascinating thing is that their team discovered it while they were spreading the sample and settings using namesilo's Parking page and Google's user-defined page. This appears to be just another effort to obscure the control channel to escape being tracked, monitored, and blocked by the malicious attacker, and it has most likely served them effectively.
Tencent's security team also revealed an identical sample, however, the study of the spread isn't entirely accurate. The information shown on the website is commonly assumed to be handled by the domain parking provider during the domain parking time (Domain Parking), as well as the actual owner of the domain cannot edit the content of the page. Therefore in this scenario, the domain parking service allows the domain owner to personalize the parking page. The attacker used this, as well as the bespoke sites are given by Google, to distribute the virus.
This would have two significant advantages: on one hand, the intruder incurs few bandwidth and server costs for the allocation of malicious programs; on the other hand, because the bots 'talk' to the domain parking provider and Google, the control traffic completely merges in, making it extremely difficult to supervise and block. According to Netlab's DNSMon/DTA monitoring data, this new tendency has indeed been escalating in recent months.
The mining aspect isn't especially fascinating, but researchers did observe that the DNS resolution of www.hellomeyou.cyou has traditionally been CNAME to a parking domain parking.namesilo.com. Parking domains are often registered but never active.
By logging into namesilo's user service interface, researchers discovered that its ParkingPage has user-definable material, that allows hacker groups to abuse it. Multiple historical screenshots of the site in their DNSMon system revealed that the page's title was indeed a harmful sample link and the page's description was xmrig configuration.
Simultaneously, there is also the abuse of GitHub and Google links in the description, which additional investigation reveals is also a component of the virus dissemination route. Among these is a base64 encoded xmrig mining program on Google's custom website.
Netlab 360 notes that: “In this case, it is different. This particular case uses the ‘user-customize’ parking page directly for its control channel. Hackers do not need to have their own machines and IPs, they just use the parked pages provided by the domain registrar, as well as the custom pages of google(see the following snapshot) to help spreading their malware. By doing this, the malicious actor totally goes under the radar because all the control channel traffic uses these totally legit ‘public facilities’.”