Triad Nexus: FUNNULL CDN hosting DGA domains for suspect Chinese sites

Oct. 23, 2024, 1:51 p.m.

Description

Silent Push has uncovered a large-scale malicious infrastructure dubbed 'Triad Nexus' hosted on the FUNNULL content delivery network. The investigation revealed over 200,000 unique hostnames, with 95% created using Domain Generation Algorithms. FUNNULL is linked to hosting suspect gambling websites, investment scams, and a retail phishing campaign targeting major brands. Connections were found to the Suncity Group, previously implicated in money laundering for the Lazarus crime group. A supply chain attack involving the polyfill.io JavaScript library affected over 110,000 websites. The research exposes FUNNULL's role in facilitating various criminal activities and raises concerns about its practices as a CDN provider.

External References

https://www.silentpush.com/blog/triad-nexus-funnull/
https://otx.alienvault.com/pulse/6718f7eddcdb0477d000ddc9
Tags
phishing
dga
gambling
2024-10-23
supply chain attack
funnull
triad nexus
suncity group
cdn

Date

  • Created: Oct. 23, 2024, 1:19 p.m.
  • Published: Oct. 23, 2024, 1:19 p.m.
  • Modified: Oct. 23, 2024, 1:51 p.m.

Indicators

  • www.cmegrouphkpd.info
  • vk6a2rmn-u.funnull01.vip
  • vk6a2rmn-u.funnull.vip
  • tiffa.tiffyfy.net
  • sonbuyue.comsonbuyue.net
  • slvmgo.netslvmgo.com
  • sakoffirg.comsakofforg.net
  • marcus.marcudk.netmarcus.marcufu.net
  • marcus.marcufu.net
  • marcus.marcudk.net
  • marcus.marcudk.com
  • jdfraa.shopjdfroa.com
  • inditetx.topinditetx.com
  • h5.aldosop.com
  • giltbl.comgiltql.com
  • etsy.etsyshop1.com
  • eby.ebayshos.comeby.ebanyshop.com
  • eby.ebayshos.com
  • eby.ebanyshop.com
  • ebay.ebayshoo.com
  • ebate.ebatshop.com
  • coachbir.comcoachoig.com
  • casher.cashewargi.com
  • cartier.cartierate.com
  • bonanza.jdfraa.com
  • asda.assedda.comasda.assedaa.com
  • asda.assedda.com
  • asda.assedaa.com
  • asda.aseasda.com
  • aldosopy.comh5.aldosop.com
  • aldo.shopaldo1.com
  • 6ce0a6db.u.fn03.vip
  • 12abb97f.u.fn03.vip
  • valentinogtm.com
  • t25556.com
  • threevip.cc
  • sonbuyue.net
  • sonbuyue.com
  • sonbuyre.com
  • slvmgo.net
  • slvmgo.com
  • sakofforg.net
  • sakoffirg.com
  • sakoffhue.com
  • s97988.com
  • s3958.com
  • r4113.com
  • r0944.com
  • milvmhshop.com
  • lotasea.com
  • k76697.com
  • jdfroa.com
  • inditetx.top
  • jdfraa.shop
  • inditetx.net
  • hiflyk47344.top
  • inditetx.com
  • haodeac.com
  • giltql.com
  • giltql.net
  • giltbl.com
  • coachoph.com
  • coachoig.com
  • coachbir.com
  • cjmall01.com
  • bcbdsgs.com
  • cmegrouphkpd.info
  • aldosopy.com
  • 6289.com
  • 15991t.com
Download all indicators here!

Attack Patterns

  • T1102.003
  • T1584.001
  • T1583.001
  • T1204.001
  • T1059.007
  • T1199
  • T1566
  • T1190
  • T1078

Additional Informations

  • Retail
  • Technology
  • Finance
  • China