Both Aged and New Domains Play a Role in the NDSW/NDSX Malware Campaign
The threat actors behind the NDSW/NDSX malware campaign1 used both newly registered and aged domains, likely to get the best of both worlds. But the digital breadcrumbs they left behind could help investigators get a step closer to catching them.
Our in-depth analysis revealed:
- Unredacted registrant email addresses from the historical WHOIS records of the domains identified as threat indicators of compromise (IoCs)
- More than 200 domains that used the same registrant email addresses as the aged domain IoCs
- An additional IP address that the domain IoCs resolved to
- More than 100 domains that shared the domain IoCs’ IP addresses, one of which is deemed malicious
- Some domains that shared common strings with the IoCs (“sync + adv.,” “static + visit,” and “ads + profit + network”)
Download a sample of the threat research materials now or contact us to access the complete set of research materials.
-  https://blog.sucuri.net/2022/06/analysis-massive-ndsw-ndsx-malware-campaign.html