In this blog, we’ll show you how to use Silent Push Community Edition‘s WHOIS scanning feature to locate and traverse threat infrastructure, using a WHOIS fingerprint that enables fast and accurate tracking of attacker Tactics, Techniques and Procedures (TTPs).
We’ll start by explaining the concept of WHOIS data and how security teams can utilize WHOIS intelligence to defend against attacks, before showing you how to pivot across data with a simple WHOIS scan that uses a domain owner’s email address as the starting point.
Sign-up to Silent Push Community Edition
Silent Push Community Edition is a free threat hunting and cyber defense tool, featuring a range of advanced queries and lookups, that outputs known and hidden threat infrastructure.
WHOIS is a publicly accessible database containing information on the ownership, registration, and administrative details of a domain.
When someone registers a domain (the “registrant”), they need to provide contact details and other relevant information to the company that facilitates the registration (the “registrar”).
This data is then made available through various WHOIS lookup tools, which allow any interested parties – including security teams – to query a domain name, and retrieve details about the registration.
The global WHOIS system performs three key functions:
Accountability: Ensures that domain owners can be contacted in case of legal, technical, or business issues.
Cybersecurity and threat hunting: Tracking illegal activities related to domain usage, including domain spoofing, fraud, or copyright infringement.
Technical support: Diagnosing domain-related issues, and DNS problems.
WHOIS data privacy
“WHOIS privacy” is a service offered by registrars that masks a domain owners’ personal information in the public WHOIS database, by using a proxy service to hide the real owner’s details and display generic responses in its place.
The legitimate purpose of WHOIS privacy is to counteract spam, identity theft, and harassment, but threat actors use the facility to evade detection and prevent security teams from tracking their activity.
How is WHOIS scanning used in cybersecurity?
Security Operations Centre (SOC) and Incident Response (IR) teams use WHOIS data to identify and analyze malicious domains, and gather intelligence that can be used to perform additional scans that reveal even more threat infrastructure.
Lets take a look at some common use cases…
Identifying linked threat activity
WHOIS data includes information on the domain owner – such as the email they used to register the domain – and any nameservers associated with a domain.
Threat hunters use this data to locate other domains registered by the domain owner, or hosted on the same IP infrastructure using additional DNS queries.
If a domain shares the same WHOIS or DNS characteristics as a known malicious domain, this can be an indication of linked threat activity.
Correlating registration dates and patterns
Security teams use domain registration and expiration dates to detect suspicious activity, based on how long a domain has been in operation.
Recently registered domains are more likely to be used in an attack. Threat actors register new domains for short-term campaigns to counteract traditional IOC-based defense mechanisms that rely on lists of publicly known infrastructure.
Short-lived domains that are quickly registered and then allowed to expire (or disappear after use) are often used as disposable domains in a variety of threat campaigns, such as brand impersonation and typosquatting attacks.
Targeting suspicious domain registrars
Certain domain registrars are used by threat actors because they have lax verification procedures, and operate with poor security policies that ignore domain takedown requests.
Such registrars also allow the purchase of domains at low cost and in bulk, allowing threat actors to deploy large amounts of domains in a single campaign that hinders detection.
Threat hunters are able to identify these registrars, and traverse across elements of their hosting infrastructure to locate malicious infrastructure.
WHOIS scanning with Silent Push
WHOIS information is a useful starting point in an investigation into named or unknown threat activity, but retrieving and using WHOIS data at scale, in a way that makes it easy to perform additional DNS and content-based pivots across an enriched dataset that complements the original scan, can be difficult to achieve.
AllSilent Push subscription tiers – including Community Edition – feature a built-in WHOIS Scanner, than returns WHOIS infrastructure using a combination of the following data types:
address: Address associated with the owner, including fields for each line of the address (e.g. state and zip_code)
created: Date and time the domain was registered on
domain: The final domain the the original domain resolves to
email: Email of the registered domain owner
expires: Date and time the domain is set to expire, unless it’s renewed
name: Given name of the domain registrant
nameserver: The nameserver used to connect the domain name to the hosts IP
ns_hash: Searchable hash of the nameserver and domain
organization: Name of the organization that the domain is associated with
registrar: Registrar associated with the domain
scan_date: Date the domain was scanned by Silent Push
Once you’ve executed a scan, you can one-click pivot across the results set to reveal additional intelligence linked to your original scanning parameters – including all associated DNS records and IP addresses – or drill down into the results by including or excluding key pieces of data.
WHOIS scanning example: registrant email address
The registrant email [email protected] is associated with financial scams that attempt to spoof known and fake credit unions, and banking sites.
Executing a WHOIS Scan on the email address reveals a timestamped list of domains set up by the threat actor, mostly via a legitimate registrar (NameSilo), with Silent Push risk scores attached to each returned domain.
All of these domains are involved in financial threat activity, linked to the same registrant email address:
You can use the column view to display or omit data fields from the results table:
Executing a Live Scan on one such domain (phoenixvaultcreditunion.com) from within the WHOIS scanning results table reveals live infrastructure, with an expandable screenshot and additional data, including the domain’s HTML title and a favicon (if present):
You can use the same pivot box to execute a range of additional queries and lookups that provide a wealth of additional information on the target domain, without leaving the WHOIS scanning screen:
Web Scanner: A powerful tool that uses 150+ data fields to discover infrastructure that shares the same set of characteristics – including HTML body data, certificate information, favicons, server-returned data, and a lot more
Passive DNS: Get an immediate and complete list of all current and historic DNS records associated with the domain
Total View: Provides a detailed overview of all the infrastructure associated with the domain, including how it’s moved across the global IP space over time
Save To: Add the domain to an existing or new IOFA™ Feed
Takedown: Request that the domain be taken down, based on its status as an IOFA™
WHOIS scanning history
Once you’ve identified a malicious domain, you can quickly jump into the WHOIS History feature to get a timestamped table of changes to the domain’s WHOIS records.
This allows you to evaluate the Tactics, Techniques and Procedures (TTPs) used by a threat actor as they deploy their infrastructure, track similar patterns, and proactively blocks attacks.
Here’s the WHOIS history for phoenixvaultcreditunion.com, with WHOIS changes displayed as the data type, and date of the change underneath a graphical timeline:
Sign-up to Silent Push Community Edition
WHOIS Scanning is included in Silent Push Community Edition, a free threat hunting and cyber defense tool featuring a range of advanced queries and lookups, that allows users to locate known and hidden threat infrastructure.
Silent Push Threat Analysts recently observed a rise in the use of ScreenConnect, a remote monitoring and management (RMM) tool, on bulletproof hosts (BPHs). This raises suspicion that threat actors have continued to leverage legitimate software to gain access and control over victims’ endpoints.
We published our first blog post on ScreenConnect threats in October 2022, which CISA cited in a January 2023 advisory. Since then, we have been tracking the ScreenConnect exploit from CVE CVE-2024-1709, which threat actors have been widely abusing.
Our discovery of a suspicious domain, filessauploaderchecker[.]com, in the Silent Push Web Scanner, led us to further explore for malicious intent.
As we continue investigating, we believe potential attackers have been using social engineering to lure victims into installing legitimate software copies configured to operate under the threat actor’s control.
Today, we are sharing an update on a threat actor group’s campaign that is abusing ScreenConnect to target Social Security recipients, which was first covered in 2024 by other security researchers.
Initial Intelligence
Organizations typically use a single RMM tool to manage their IT assets. However, the discovery of legitimate RMM tools used in cyberattacks can be complicated, as third-party suppliers sometimes use a different RMM tool than their clients when performing technical support or other legitimate activities.
The ScreenConnect software agent typically has a generic name like “ScreenConnect.Client[.]exe” or a similarly structured company-branded name if it has been customized by a subscribing organization. Our research uncovered a suspicious filename that deviates significantly from those conventions, suggesting it has been deliberately altered.
The observed filename from the domain filessauploaderchecker[.]com raises even more suspicion of malicious intent. Captured on VirusTotal (WARNING: this file is likely malicious). The full file name appears as: “Recently_S_S_A_eStatementsForum_Viewr66985110477892_Pdf[.]Client[.]exe”
Our team noted the file name includes the keyword “S_S_A,” a potential reference to “SSA,” aka the Social Security Administration, and the keyword “eStatements,” which alludes to a document someone could be requested to review. The lure essentially appears to be an eStatement from the Social Security Administration—and it is not a PDF but an executable file.
Closer examination of the file reveals it includes terms such as “eStatements,” “Forum,” “Viewr,” and “Pdf[.]client,” which appear to have been designed to resemble document viewing or financial statements. The terms are irrelevant to ScreenConnect agents and are likely crafted to mislead users into thinking the file is harmless.
To complicate defensive actions, Silent Push Threat Analysts believe threat actors have been using various social engineering methods, such as SMS text messages, phone calls, or emails, to get unsuspecting victims to install legitimate copies of the ScreenConnect agent. Once installed, the attackers use the altered installer to quickly gain access to the victim’s files.
Silent Push Threat Analysts were able to craft a unique fingerprint that allows our team to detect a large amount of malicious infrastructure using ScreenConnect. This fingerprint powers our Indicators of Future Attack™ (IOFA™) feed for this threat and will be available to Silent Push enterprise customers.
The Bulletproof Hosting Connection
Bulletproof hosting providers are infamous for turning a blind eye to complaints of malicious or illegal content hosted on their servers. They are known for allowing cybercriminals to operate phishing websites, malware distribution networks, and command and control (C2) infrastructure without interruption.
Typically operating in jurisdictions with weak law enforcement, BPHs frequently leverage offshore locations that shield threat actors from takedowns. While often marketed for privacy and resilience, these providers are notorious for enabling illegal activities, making them a significant challenge for cybersecurity professionals and law enforcement agencies worldwide.
Our team has identified multiple bulletproof hosting providers being utilized by this threat. Filtering by bulletproof providers (easily done via a simple field in our platform while querying) in conjunction with other fingerprinting methods can often prove a useful method to track malicious infrastructure, as threat actors (like all criminals) tend to fall into predictable patterns. For operational security reasons, we have omitted the specific names of each for this blog so as not to tip off the threat actors. We encourage readers to look forward to our larger piece covering bulletproof hosting providers in greater detail and depth coming later this year.
Persistence in Cyberattacks
Threat actors use many techniques to establish persistence and maintain their foothold when working to compromise endpoints. These may include employing Windows services (such as abusing Task Scheduler), malware, misconfiguration, or even attacking an intended victim’s domain as a means to gain access, perform actions, or make configuration changes (such as replacing or hijacking legitimate code or adding startup code for malicious purposes).
What is persistence in cyberattacks? Mitre ATT&CK, the global knowledge base of adversarial tactics and techniques, describes persistence as an enterprise tactic: “Persistence consists of techniques that adversaries use to keep access to systems across restarts, changed credentials, and other interruptions that could cut off their access.”
Mitigation
Silent Push Threat Analysts recommend making use of our Enterprise edition to receive the newest IOFA™ and enrich the IOFA™ in your security solutions to detect, prevent, and respond to future cyberattacks. Our proprietary set of analytics and persistent manual review matches patterns against known malicious examples hosted on BPHs to ensure our IOFA™ do not contain false positives.
We are continuously searching to uncover emerging threats from APTs, bulletproof hosting providers, financial crimes, malvertising, and more.
Register for Free Silent Push Community Edition, a free threat hunting and cyber defense tool used by security teams, bug bounty hunters, and researchers that features a range of basic and advanced DNS queries which interrogate the Silent Push database, built from our daily scans of the internet’s global IP range.
Silent Push is coining the term “Infrastructure Laundering” to describe a growing criminal practice our analysts have observed where threat actors operating “hosting companies” rent IP addresses from mainstream hosting providers and map them to their criminal client websites.
Our research team was surprised to find mainstream cloud providers, such as Amazon Web Services (AWS)* and Microsoft Azure, are often seen in large-scale use by threat actors. While providers are consistently banning specific IP addresses used by the FUNNULL content delivery network (CDN), the pace is unfortunately not fast enough to keep up with processes being used to acquire the IPs.
FUNNULL has rented over 1,200 IPs from Amazon, and nearly 200 IPs from Microsoft – nearly all have been taken down as of this writing, but new IPs are continually being acquired every few weeks.
There are indications of FUNNULL illicitly acquiring the IPs using stolen or fraudulent accounts. However, external visibility into this process is limited.
Silent Push’s research into the FUNNULL CDN’s activities has revealed a direct association with money laundering as a service hosted on shell websites, retail phishing schemes, and pig-butchering scams being kept online via infrastructure laundering.
Given that it’s easier for enterprises to defend against this type of network if the services of mainstream providers are made unavailable to those criminals, our team is left to wonder: If FUNNULL has been using the same illicit IP rental schemes and CNAME mapping tactics for years, activity which is clearly visible to us as cyber threat professionals, why are cloud providers still struggling to keep up? Are cloud providers not investigating deeply enough to find illicit IP rentals in real time?
This line of thinking led us to a few larger, and as of yet unresolved, questions around infrastructure laundering:
If a hosting account is banned for fraud and abuse concerns, are cloud providers not investigating what content was hosted there and looking for similar content elsewhere on their network?
How and why does an organization like FUNNULL keep renting one IP after another from mainstream providers, even if using illicit means to acquire those IPs, when they are mapping them to one of three CNAMEs?
How come thousands of IPs have been taken down historically, but the new ones stay mapped for days or weeks without actions?
How is it that cloud providers are unable to see or stop this in real time?
*Note: Amazon responded to our findings with a public statement, which we attached to the bottom of this report, along with our comments.
Over the past few years, Silent Push Threat Analysts have been investigating and exposing threat actors whose crimes are not restricted to the internet but are very much a part of real-world criminal organizations. Our team is tracking this growing cyber line-blurring practice, now better known as “infrastructure laundering,” which leverages legitimate, mainstream hosting providers through intermediaries.
As we examine this particular brand of threat actor behavior, we must assess the scale of the technical infrastructure involved and critically examine the suppliers that are helping keep these organizations in business. The results have been surprising. Our analysts have discovered threat actors being enabled by mainstream cloud providers, including Amazon Web Services (AWS) and Microsoft Azure.
Both Amazon and Microsoft have essentially been fighting an uphill battle, clearly banning IPs being used by the FUNNULL CDN, yet new IPs are still showing up every few weeks. New details uncovered in the course of this reporting indicate that FUNNULL is likely using fraudulent or stolen accounts to acquire these IPs to map to their CNAMEs, and providers we have spoken to claim this wasn’t caught in real time due to visibility holes from the technical complexity of their DNS architecture.
Sign Up for a Free Silent Push Community Account
Register now for our free Community Edition to use all of the tools and queries mentioned in this blog.
The concept of infrastructure laundering is relatively new in cybersecurity and cybercrime discussions and circles. However, the underlying idea—that intermediaries provide a layer of obfuscation for illicit activities—has been previously discussed in the contexts of “bulletproof hosting” and “cybercrime-as-a-service.” These services perform a similar function: offering cybercriminals a high level of anonymity and protection.
One core difference between infrastructure laundering and a bulletproof host (BPH) is that with infrastructure laundering, takedowns are expected. We’ve come to realize that the persistence of infrastructure laundering is due primarily to the aggressive efforts used to acquire fresh hosting accounts – essentially, the threat actors moving more rapidly than cloud hosts can react.
Taking obfuscation a step further, infrastructure laundering specifically highlights a distinct process wherein intermediaries (such as the FUNNULL CDN, outlined in our Triad Nexus blog) launder their infrastructure by hosting it within large, legitimate cloud platforms (such as AWS or Azure) in order to further mask its origins and criminal intent.
Infrastructure laundering also helps to keep the websites fast for global audiences by mapping the infrastructure to countless IPs located in different areas of the world—and having IPs in the U.S. is useful for a network like FUNNULL, which hosts scams targeting U.S. brands and consumers.
The similarity here to the term “money laundering” is not accidental. Whereas money laundering enables the proceeds of crimes to be used on the open market and appear to have come from a reputable source, infrastructure laundering legitimizes the sale of internet hosting services via CNAME mapping and other classical DNS techniques to map their mostly criminal client websites to IP addresses owned by credible, Western hosts, thus creating the illusion of legitimacy for unsuspecting visitors and defenders.
The criminals’ advantage when it comes to infrastructure laundering, over and above bulletproof hosting, is that the underlying hosting provider also hosts other, valid businesses on a large scale, so it is difficult for defenders to block traffic received from that cloud provider without also adversely blocking legitimate web traffic for their users. As opposed to when criminals are restricted to using bulletproof hosting services, their infrastructure can then be easily blocked without the risk of causing accidental service disruption to the defending companies’ business operations.
Exploring Infrastructure Laundering Practices
Here’s how the concept of infrastructure laundering is evolving in discussions:
Bulletproof Hosting
The practice of bulletproof hosting is described as a service provided by an internet hosting operator that is resistant to takedown efforts and is usually located in jurisdictions with more lenient regulations and/or countries where law enforcement has fewer resources to monitor and control. Hosting service providers involved in BPH support all types of unwanted activities, including but not limited to the abuse of copywritten materials, hosting of malware and botnet command and control (C2) servers, support to hate speech and misinformation, illegal gambling, pornography, and spam.
For years, bulletproof hosting providers have offered safe havens for cybercriminals by refusing or resisting takedown requests and allowing illicit activity to flourish. In traditional bulletproof hosting, the entire infrastructure is often controlled by a criminal enterprise or purpose-built for resilience against law enforcement while ever-so-coincidentally being located in countries with weak engagement with international law enforcement.
A key differentiator between BPH and infrastructure laundering is that legitimate hosts being abused to support infrastructure laundering can and do take actions to stop it. However, infrastructure laundering appears to rely on gaps between when a threat actor can use a new account to acquire another IP and the time it takes for a cloud provider to realize that IP is being used illicitly.
Layered Transactions Create Tracking Challenges
Services within the cybercrime-as-a-service (CaaS) ecosystem (such as ransomware as a service (RaaS) or phishing kits) often provide resources that criminals can lease or buy directly from other threat actors.
In infrastructure laundering, however, the key difference lies in a layered financial transaction where the primary cloud providers may not see a singular entity renting the IPs but instead have numerous “IP mules” who set up or acquire accounts and purchase IPs without transparency about who they are doing it for.
In fact, beyond shared payment methods, contact details, or other insights from internal tooling we are unaware of, the only way a cloud provider could know that FUNNULL was renting these IPs would be if they had tracked all three of the random domains FUNNULL uses for CNAME chains (funnull[.]vip, funnull01[.]vip, fn03[.]vip), and created a system to monitor newly-rented IPs being mapped to any of these CNAMEs.
Methods like this represent a unique tracking challenge, creating opportunities for threat actors to remain unseen but also allowing defenders to react in real time – provided they are aware of it.
Emerging Regulatory Concerns
Cybersecurity experts and regulators have only recently started to examine the financial and technical blind spots created by third-party intermediaries more closely. The idea that cloud hosting providers could be unwitting victims while also potentially missing opportunities to stop corporate threat actors from abusing these systems creates challenges that don’t have any easy answers.
Key Connections
Silent Push’s investigation into the FUNNULL CDN on our Triad Nexus blog revealed a large cluster of malicious infrastructure and its pivotal role in facilitating extensive cybercriminal activities, many of which are orchestrated by Chinese Triad groups. This aligns with the United Nations Office on Drugs and Crime (UNODC) 2024 Report that discusses Transnational Organized Crime, or “TOC,” and its findings on the convergence of cyber-enabled fraud, underground banking, and technological innovation in Southeast Asia.
In our FUNNULL research, Silent Push Threat Analysts discovered this network of investment and retail scam websites, along with money laundering websites, are actually hosted on a combination of numerous Western IP addresses owned by prominent hosting U.S. companies and prominent Asian hosting providers. This blending of hosting between the U.S. and Asia is significant as this could be an effort to host in locations that don’t regularly collaborate on cyber threats. The crime group also targets victims in both jurisdictions, so having hosting in those locations would improve the speed and potentially the perceived legitimacy of the websites.
Hosting Malicious Infrastructure
FUNNULL CDN has been identified as hosting over 200,000 unique hostnames, of which approximately 95% are generated through Domain Generation Algorithms (DGAs). These domains are linked to illicit activities such as investment scams and fake trading applications. Moreover, these activities are directly associated with money laundering as a service on shell gambling websites that abuse the trademarks of a dozen popular casino brands and which are available online today.
One organization whose trademarks are being abused within the FUNNULL network is the online gambling portal Bwin. Our research into Bwin’s connection revealed that its association with FUNNULL is due to an abuse of its brand name—they have no actual relationship. Approximately a dozen other major online gambling brands’ trademarks are also being abused across tens of thousands of shell gambling websites.
One of the active Bwin spoofed sites hosted on a Microsoft IP address via FUNNULL CDN in December 2024 can be seen here:
b69885[.]com is hosted on 20.2.234[.]182, which is located on Microsoft infrastructure, AS8075
Dozens of the Bwin-impersonated sites were hosted on Microsoft’s infrastructure:
Web Scanner results for Bwin sites on FUNNULL hosted on Microsoft’s infrastructure, AS8075
Chris Alfred, a spokesperson for Entain, Bwin’s parent company, told TechCrunch that Entain can confirm that the domain associated with FUNNULL is a fake website. Bwin does not own it and has nothing to do with it. The site owner appears to be infringing on the Bwin brand. Alfred has said they are taking action to resolve the issue and get the site removed.
Supply Chain Attacks
Earlier this year, FUNNULL’s acquisition of the popular JavaScript library polyfill[.]io led to a supply chain attack that impacted over 110,000 websites. This incident underscores the sophisticated methods these criminal networks employ to infiltrate legitimate systems, albeit sometimes for murky purposes.
Infographic showing the infrastructure laundering process
Cybersecurity Concerns
The likely collaboration between entities like FUNNULL CDN and organized crime groups like the Chinese Triads exemplifies the complex and evolving nature of TOC in Southeast Asia. The fusion of technological innovation with traditional criminal activities necessitates comprehensive and coordinated efforts across international law enforcement and regulatory bodies to effectively address and mitigate these threats.
A key roadblock to stopping these cyber criminals, however, is that this large crime infrastructure uses mainstream cloud providers like AWS and Azure as part of its underlying setup and continues to rent IPs, even with apparent efforts to stop them.
The node map below shows the main entities involved in providing FUNNULL CDN with the underlying hosting services it uses. This is a very active network, even if major cloud hosts are regularly banning IPs that are mapped into their infrastructure.
Node map showing the main entities involved in providing underlying host services to FUNNULL CDN
Mapping FUNNULL CDN Scams
At its peak in 2022, the investment scam infrastructure on FUNNULL CDN had thousands of active domains.
While more modest in 2024, this malicious cluster still had some active sites, including cmegrouphkpd[.]info, which has hosted a fake trading platform abusing CME Group’s brand and logo for the past two years. It only recently went offline after we published our Triad Nexus report on FUNNULL CDN.
Content previously hosted on cmegrouphkpd[.]info
Having been live for over two years, the domain cmegrouphkpd[.]info also helped our team map CNAME record changes across the FUNNULL CDN.
The domain had a CNAME record pointing to *.funnull[.]vip between February and March 2022, changing to *.funnull01[.]vip between March 2022 and June 2024, and which has since then switched to *.fn03[.]vip.
CNAME records for cmegrouphkpd[.]info
In the first CNAME hop, FUNNULL maps client domains to a CNAME record such as *.fn03[.]vip
The second CNAME hop is from the *.fn03[.]vip record mapped to another CNAME at *.fnvip100[.]com
The third CNAME hop starts at the second CNAME, fnvip100[.]com, which is then mapped to rented IP addresses.
Screenshot of a Forward CNAME lookup for 6ce0a6db.u.fn03[.]vip
By having CNAME chains within FUNNULL’s CDN infrastructure, every time a DNS client requests the domain/hostname of a FUNNULL customer, the DNS resolver follows the resolution chain and answers with the IP address of its “Point of Presence” (PoP) with the fastest response:
DNS Forward A lookup for 0e6de73d2.n.fnvip100[.]com
As a result, these CNAME chains can be used to map FUNNULL’s entire customer infrastructure on its CDN and obtain the IP addresses for its entire Point of Presence network.
The three CNAME records that are needed to map rented IPs used within the FUNNULL CDN can be seen in the data flow map below, highlighted in a red box. If you conduct a forward A lookup on these CNAME records, you will get the list of rented IPs in the network.
Important Note: Listed below are the three specific CNAME records needed to map IPs currently in use within the FUNNULL CDN.Those records are:
fn301[.]vip
fnvip100[.]com
funnull100[.]com
Map of FUNNULL CNAME Chains
Using this CNAME chain method of mapping both the hostnames and the IPs used in the FUNNULL CDN, Silent Push Threat Analysts identified over 200,000 unique hostnames being proxied through the FUNNULL network between late September and mid-October of 2024 – with more than 95% of the hostnames created with DGAs – and 1.5 million reverse CNAME records lookups have been collected since 2021.
Silent Push identified close to 500 of FUNNULL’s IPs being actively used by threat actors in live campaigns, and, as we expected, a large portion were located in Asian ASN ranges, such as AS152194 (China Telecom Global), AS45753 (NETSEC-HK Netsec Limited), and AS55933 (CLOUDIE-AS-AP Cloudie Limited).
Surprisingly, however, in December 2024, we discovered nearly 40% of the FUNNULL CDN’s IP addresses belonged to AS8075 (MICROSOFT) and AS16509 (AMAZON), two major U.S.-based cloud providers.
It’s important to appreciate that FUNNULL has rented over 1,200 IPs from Amazon, and nearly 200 IPs from Microsoft – and most of those IPs only last a few weeks at most before being taken down, some lasting only days. But there is a clear and consistent pattern – FUNNULL CDN wants to continue to acquire IPs from both Amazon and Microsoft and seems willing to use illicit methods to acquire them – and appears to be succeeding regularly in their efforts.
FUNNULL CDN infrastructure details with IP addresses from Microsoft, Amazon, and other sources
Using Silent Push’s extensive PADNS data, we have confirmed that FUNNULL has been renting Microsoft’s IP space since at least 2021, with some of these rented IPs mapped to FUNNULL for significant periods of time.
FUNNULL has been renting Microsoft IP space since 2021.
Based on a snapshot from December, across 438 IPs in the FUNNULL CDN, the vast majority are hosted in Hong Kong, Japan, and Singapore.
20 IP addresses, however, are currently hosted in the U.S.
And on any given day, even with IP takedowns and new IP addresses being added to the network regularly, it appears that FUNNULL always has some IP space in the U.S. and is constantly working to acquire more.
FUNNULL CDN IP addresses by geographic location
Retail Scams Find a Home in Infrastructure Laundering
Digging deeper into the FUNNULL CDN, our threat researchers found a campaign targeting dozens of major brands, with what appeared to be a focus on luxury fashion companies, with phishing pages hosted on the Triad Nexus FUNNULL CDN infrastructure. The phishing pages targeted multiple brands, including:
Aldo, Asada, Bonanza, Cartier, Chanel, Coach, eBay, Etsy, Gilt Groupe, Inditex, Lotte Mart, LVMH, Macy’s, Michael Kors, Neiman Marcus, OnBuy[.]com, Rakuten, Saks Fifth Avenue, Tiffany & Co., and Valentino.
An Entire CNAME Dedicated to Criminal Phishing and Investment Scam Websites
Our team discovered approximately 650 unique domains hosted on one specific FUNNULL CNAME record. This intrigued our team, as it indicated intentional segmentation broken down by each criminal client.
We soon realized that a chunk of these domains were investment scam websites such as coroexchange[.]com, seen here:
Screenshot of content previously hosted on coroexchange[.]com
Beyond the investment scam sites, the other websites hosted on this CNAME all appeared to be a new retail phishing campaign targeting major Western brands, with phishing login pages such as bonanza.jdfraa[.]com.
Screenshot of content previously hosted on bonanza.jdfraa[.]com
Our analysts also discovered another technical commonality between the phishing web pages – something that helped us find 80 separate retail phishing sites, all seemingly operated by the same threat actor. For operational security purposes, however, we’re only sharing that fingerprint with our enterprise clients and law enforcement officials to keep tabs on this network’s operations in the future.
Retail Phishing Hosted via Infrastructure Laundering on Amazon AWS and Microsoft Azure
FUNNULL CDN infrastructure details for the retail phishing campaign
The retail phishing domains hosted on FUNNULL were seen across 9 ASNs. From highest to lowest density, they included:
CTGSERVERLIMITED-AS-AP CTG Server Limited, HK (152194)
BCPL-SG BGPNET Global ASN SG (64050)
AMAZON-02 US (16509)
MICROSOFT-CORP-MSN-AS-BLOCK US (8075)
AMAZON-AES US (14618)
ALIBABA-CN-NET Alibaba US Technology Co. Ltd. CN (45102)
Screenshot of a Forward A lookup of *funnull100[.]com using Silent Push
As mentioned extensively, it appears both Amazon and Microsoft are essentially “under attack” by FUNNULL due to efforts to use numerous accounts to acquire IP addresses. FUNNULL essentially has agents moving faster than both of the companies, but you can see the takedowns and any new IPs via the queries included above.
To facilitate ad hoc investigations for anyone who doesn’t have a Silent Push account, we’ve included a small sample in the table below of some recent IPs rented by the FUNNULL CDN, which were owned by Microsoft or Amazon.
Thanks to collaborative efforts with our research team, FUNNULL should be banned from all of these listed IPs by the time of publishing, and we would like to express our appreciation for the efforts of both Microsoft and Amazon for trying to stop this ongoing abuse of their networks.
AS8075 (MICROSOFT)
AS16509 (AMAZON)
ASN
IP Address
8075
20.197.231[.]47
8075
20.255.59[.]117
8075
20.198.57[.]52
8075
104.214.176[.]22
8075
20.189.72[.]50
8075
20.244.100[.]21
8075
4.242.33[.]86
8075
20.255.249[.]158
8075
23.102.230[.]2
8075
4.240.77[.]234
8075
52.231.111[.]19
8075
20.201.125[.]114
8075
20.244.107[.]99
8075
20.255.50[.]154
8075
4.186.60[.]206
8075
20.205.30[.]219
8075
20.255.50[.]152
8075
52.247.251[.]209
8075
98.70.33[.]48
8075
4.240.75[.]72
8075
20.205.24[.]187
8075
20.187.147[.]2
16509
18.162.61[.]241
16509
18.163.117[.]178
16509
43.198.139[.]94
16509
18.166.63[.]180
16509
43.199.45[.]50
16509
18.162.151[.]226
16509
18.163.62[.]136
16509
16.163.103[.]39
16509
43.198.71[.]66
16509
35.78.66[.]160
16509
18.162.126[.]85
16509
18.163.8[.]163
16509
35.78.207[.]138
16509
18.162.151[.]167
16509
18.163.105[.]72
16509
18.163.183[.]181
16509
13.201.230[.]164
16509
43.199.134[.]208
16509
15.220.86[.]254
16509
18.162.146[.]57
16509
43.199.135[.]180
16509
18.182.24[.]73
16509
18.166.74[.]138
16509
18.163.189[.]59
16509
18.183.220[.]150
16509
18.163.55[.]222
16509
18.162.155[.]216
16509
18.167.96[.]56
16509
18.167.84[.]151
16509
43.198.31[.]47
16509
18.167.167[.]242
16509
18.166.78[.]43
16509
18.163.102[.]152
16509
18.166.74[.]182
16509
18.163.5[.]170
16509
18.163.8[.]154
16509
13.245.28[.]4
16509
13.247.101[.]138
16509
18.163.190[.]206
16509
43.198.21[.]215
16509
18.167.120[.]251
16509
18.166.77[.]70
16509
18.163.187[.]139
16509
18.166.67[.]99
16509
43.198.74[.]22
16509
18.167.12[.]32
16509
13.250.46[.]202
16509
18.166.51[.]9
16509
18.162.125[.]133
16509
18.166.74[.]48
16509
18.162.148[.]112
16509
18.163.5[.]121
16509
43.198.137[.]209
16509
18.167.68[.]76
16509
43.198.137[.]11
16509
18.163.50[.]251
16509
18.163.190[.]57
16509
13.202.94[.]191
16509
43.198.23[.]224
16509
15.220.83[.]92
16509
18.167.96[.]97
16509
18.166.74[.]44
16509
18.162.55[.]167
16509
18.162.134[.]4
16509
18.163.185[.]209
16509
18.167.103[.]17
16509
43.207.138[.]181
16509
18.162.148[.]219
16509
18.179.5[.]144
16509
18.167.103[.]205
16509
52.66.216[.]105
16509
18.166.58[.]42
16509
18.163.101[.]77
16509
18.163.129[.]197
16509
43.199.148[.]179
16509
18.166.55[.]111
16509
18.163.111[.]84
16509
18.167.116[.]54
16509
18.183.150[.]32
16509
43.199.135[.]111
16509
43.199.147[.]105
16509
18.163.105[.]202
16509
54.250.15[.]187
16509
18.163.190[.]230
16509
43.198.137[.]198
16509
52.198.10[.]138
16509
43.198.76[.]0
16509
18.167.96[.]137
16509
54.249.86[.]54
16509
18.166.58[.]36
16509
18.166.54[.]42
16509
18.166.65[.]147
16509
43.206.105[.]218
16509
18.166.65[.]127
16509
43.199.148[.]15
16509
18.166.51[.]252
16509
18.166.67[.]208
16509
43.199.146[.]85
16509
43.207.190[.]7
16509
54.255.167[.]157
16509
43.198.73[.]27
16509
43.198.77[.]99
16509
43.206.222[.]92
16509
43.199.136[.]74
16509
43.198.78[.]80
16509
18.162.151[.]254
16509
18.163.127[.]237
16509
35.78.73[.]152
16509
3.113.19[.]235
16509
43.198.71[.]199
16509
43.198.72[.]209
16509
43.198.78[.]18
16509
18.163.105[.]140
16509
18.166.55[.]109
16509
18.163.50[.]113
16509
18.167.85[.]174
16509
18.163.190[.]4
Looking Ahead, Bigger Questions Loom
As we noted previously, it is much easier for enterprises to defend against this type of crime if the services of mainstream providers are made unavailable to large criminal networks like FUNNULL.
And, while we can appreciate the challenges that cloud hosts are facing from a network that is using illicit means to acquire IPs, we believe the CNAME chain mapping techniques used by FUNNULL shine a bright light on all the IPs they have secretly rented
Several Questions Remain
If the network is so clearly visible to us as cyber threat professionals, then why are cloud providers not able to take action in near real-time?
Is this CNAME chain to illicit IP rental strategy an architecture that should be effective at keeping websites online?
And finally, do cloud hosts have an obligation to conduct these types of investigations themselves so that networks like FUNNULL can’t host criminal schemes for years while the cloud hosts merely play whack-a-mole with IP rental takedowns?
Amazon’s Public Statement on the Matter
“Prior to receiving a draft of this report, AWS was already aware of the activity and were suspending the fraudulently-acquired accounts that we now know were linked to the activity described by the researcher. After we received a copy of the report, we continued our investigations and suspended additional accounts. All accounts known to be linked to the activity are suspended. We can confirm that there is no current risk from this activity, and no customer action is required.
The report claims that AWS in some way enables or at least turns a blind eye to this kind of activity, and profits from it. Those claims are false. The actor involved in this activity uses fraudulent methods to temporarily acquire infrastructure, for which it never actually pays. Thus, AWS incurs damages as a result of the abusive activity.
The report promotes a new ‘infrastructure laundering’ concept, but the concept doesn’t involve laundering, a process in which something illicit or “dirty” becomes legitimate or “clean.” By using that phrase, the report insinuates that AWS is the intermediary to make the abusive activity appear legitimate and thereby harder to detect or block. That’s incorrect. Detecting the abuse of and/or blocking public IP addresses of cloud infrastructure is no more difficult than with any other public IP addresses.
When AWS’s automated or manual systems detect potential abuse, or when we receive reports of potential abuse, we act quickly to investigate and take action to stop any prohibited activity. In the event anyone suspects that AWS resources are being used for abusive activity, we encourage them to report it to AWS Trust & Safety using the report abuse form at https://support.aws.amazon.com/#/contacts/report-abuse
In this case, the authors of the report never notified AWS of the findings of their research via our easy-to-find security and abuse reporting channels. Instead, AWS first learned of their research from a journalist to whom the researchers had provided a draft. AWS had to contact the researchers proactively to obtain a draft of the report before publication.”
— End Public Statement —
Silent Push appreciates Amazon’s willingness to engage in constructive discourse on this matter. Our platform and data provide us with an excellent vantage point from which to track and monitor this type of activity at scale, as we have done for the last few years. In terms of AWS infrastructure utilized by FUNNULL, we have been tracking this threat’s use of Amazon IPs for nearly two years – during which Amazon has certainly put effort into identifying and taking down the instances their teams have uncovered.
We want to recognize that effort and share that we understand the difficulties inherent to mapping CNAME connections at this kind of scale. Particularly when new examples show up all the time, such as http[:]//43[.]198[.]25[.]172, which is actively hosted on AWS, displays the FUNNULL error page (as of this writing), and is mapped to the fn03.vip CNAME. We know it can be challenging for security teams to keep pace with the rapid emergence of new threats, but appreciate everyone’s efforts to stay informed on how criminals are attempting to obscure their activity by hiding among legitimately hosted cloud traffic.
Silent Push shines in this area, and we look forward to working with AWS on this matter in the future — from sharing our expertise in tracking criminal actors engaged in infrastructure laundering with defenders to illuminating these threats with public discussion.
Continuing to Track Infrastructure Laundering
Our team continues to track infrastructure laundering in all of its ever-evolving forms. We will report our findings to the security community as we identify new developments and other threat actors taking advantage of the practice.
We will also continue to share our research on threats we discover with law enforcement. If you happen to have any tips about threat actors participating in infrastructure laundering or engaging in other types of crime obfuscation activities, our team would love to hear from you.
Mitigation
Silent Push believes all domains associated with infrastructure laundering present some level of risk.
Our analysts construct Silent Push IOFA™ Feeds that provide a growing list of Indicators of Future Attack™ data focused on scams supported by this technique.
Silent Push Indicators of Future Attack™(IOFA™) Feeds are available as part of an Enterprise subscription. Enterprise users can ingest IOFA™ Feed data into their security stack to inform their detection protocols or use it to pivot across attacker infrastructure using the Silent Push Console and Feed Analytics screen.
Register for Community Edition
Silent Push Community Edition is a free threat-hunting and cyber defense platform featuring a range of advanced offensive and defensive lookups, web content queries, and enriched data types.
![Screenshot of web content previously hosted on cmegrouphkpd[.]info site.](https://www.silentpush.com/wp-content/uploads/1-still-active-domain-from-Ines.png)
![Silent Push Web Scanner search results for CNAME records found for cmegrouphkpd[.]info.](https://www.silentpush.com/wp-content/uploads/infra-laundering-cname-records-cmegrouphkpd.png)
![Silent Push Web Scanner results of a Forward CNAME lookup for 6ce0a6db.u.fn03[.]vip.](https://www.silentpush.com/wp-content/uploads/infra-laundering-cname-2nd-hop.png)
![Silent Push Web Scanner search results of a DNS Forward A lookup for 0e6de73d2.n.fnvip100[.]com.](https://www.silentpush.com/wp-content/uploads/infra-laundering-dns-fwd-a-lookup-scanner-result.png)
![Screenshot of content previously hosted on coroexchange[.]com.](https://www.silentpush.com/wp-content/uploads/infra-laundering-coro.png)
![Screenshot of content previously hosted on bonanza.jdfraa[.]com.](https://www.silentpush.com/wp-content/uploads/infra-laundering-bonanza.png)
![Screenshot of Silent Push application showing results of a Forward A lookup of *funnull100[.]com.](https://www.silentpush.com/wp-content/uploads/Infra-laundering-screenshot-of-Forward-A-lookup-funnull100-using-SP-1.png)
