Cybercriminals are quite an elusive lot. Some cyberattacks have caused victims to lose much money and remained a puzzle to cybercrime investigators for long periods. Anonymity on the Internet has proven to be a safe refuge to threat actors, in part due to the redaction of WHOIS records. Thus, it’s essential to have access to WHOIS domain history so investigators can see ownership details before the implementation of privacy redaction.
Even with indicators of compromise (IoCs) in the form of domain names, investigators sometimes can’t move forward easily because WHOIS record information is hidden. With WHOIS history search tools, however, they have more data to work with. To illustrate this, we dug deeper into the IoCs collected related to the LookBack malware.
Digging into the WHOIS Domain History of LookBack Malware IoCs
In 2019, employees of several U.S. companies in the utility sector received emails from entities that impersonated the National Council of Examiners for Engineering and Surveying (NCEES) and the Global Energy Certification (GEC). These emails contain Microsoft Word attachments that, when downloaded, use VBA macros to install and run LookBack.
LookBack is a remote access Trojan that enables attackers to view and delete device data, take screenshots, execute commands, move and click a user’s mouse, and remove itself from the device. Below are the domains considered as IoCs:
WHOIS History of nceess[.]com
The domain nceess[.]com is a typosquatting domain that imitates the official NCEES website (ncees[.]org). It was used in the LookBack malware campaign launched between June and July 2018.
A quick WHOIS lookup would reveal that the domain is no longer active and is available for registration. A WHOIS history search, on the other hand, shows that nceess[.]com was first registered on 8 May 2019. Until 8 May 2020, its ownership details included the name T. Eriksson and a P.O. Box in Greymouth, New Zealand.
A simple Internet search gave us indefinite results as there are several people named T. Eriksson. Doing a reverse WHOIS search on the name also yielded 73 domains, which means that at some point, one ore more individuals with the name were their domain registrant(s).
WHOIS History of globalenergycertification[.]net
The domain globalenergycertification[.]net is an imitation of the official globalenergycertification[.]org. It was seen in phishing campaigns that distribute LookBack in August 2019.
A WHOIS lookup reveals that the domain name was created on 11 June 2019 under the registrant name N. Gardner.
And like nceess[.]com, the domain wasn’t renewed after it expired. However, domain availability tools reveal that it is unavailable. N. Gardner is also a fairly common name, returning a long list of people in the search results page.
WHOIS Domain History as a Data Source
The historical WHOIS data of the domains nceess[.]com and globalenergycertification[.]net can provide cybercrime investigators with additional information to help them with cases. For instance, there is a high possibility that the threat actors used fictitious names. But they don’t have to stop there.
A closer look at WHOIS History records told us that both domain registrants use ProtonMail, so cybercrime investigators and law enforcers can work with the email service provider to trace the ownership of the on-record email addresses.
Investigators can also look into reverse WHOIS search results and find clues by looking at associated domains.
Aside from the LookBack malware, WHOIS domain history can also help in investigations of other cybercrime. It provides additional data points that can take investigators closer to unveiling the identities of the people or organizations behind cyberattacks.