Microsoft seizes 22 NO-IP domains, disrupts cybercriminal and nation state APT malware operations
NO-IP is one of the many Dynamic DNS providers out there, which can be used for free to register a subdomain on top of popular names such as “servepics.com” or “servebeer.com”. For a long time, this has been a favorite method for cybercriminals who wanted to register easy to update hostnames to control their malware implants. Yesterday, Microsoft moved against NO-IP and seized 22 of their domains. They also filed a civil case against “Mohamed Benabdellah and Naser Al Mutairi, and a U.S. company, Vitalwerks Internet Solutions, LLC (doing business as No-IP.com), for their roles in creating, controlling, and assisting in infecting millions of computers with malicious software—harming Microsoft, its customers and the public at large.”
Interestingly, Microsoft cited two specific malware families which were used “to infect innocent victims with the Bladabindi (NJrat) and Jenxcus (NJw0rm) family of malware”. These have been used by multiple cybercriminal and activist groups to target users, including the (in-)famous Syrian Electronic Army. (stay tuned for a more detailed blog on that soon)
In addition to these, the takedown disrupted many other APT operations, which used NO-IP for their C&C infrastructure. These include:
● Flame/Miniflame ● Turla/Snake/Uroburos, including Epic ● Cycldek ● Shiqiang ● HackingTeam RCS customers ● Banechant ● Ladyoffice ● etc…