A threat actor, identified as Prolific Puma, has maintained a discreet presence while operating an underground link-shortening service for over the past four years.
Modus Operandi
Prolific Puma employs a Registered Domain Generation Algorithm (RDGA) to create domain names, offering this link-shortening service to malicious actors. This service aids in evading detection during the distribution of phishing, scams, and malware.
Infoblox’s analysis, based on Domain Name System (DNS) analytics, sheds light on this threat actor’s activities.
- The use of link shorteners by malicious actors for phishing attacks is the critical role played by Prolific Puma in the cybercrime supply chain.
- Since April 2022, Prolific Puma has registered between 35,000 to 75,000 unique domain names.
- The threat actor utilizes DNS infrastructure for malicious purposes.
How does Prolific Puma Acts Differently?
What sets Prolific Puma apart is the utilization of NameSilo, an American domain registrar and web hosting company, for domain registration and name servers.
This choice is primarily based on affordability and the convenience of an API facilitating bulk registration.
It does not openly advertise its shortening service on underground markets. Instead, it employs strategic domain aging by parking registered domains for several weeks before hosting them with anonymous providers.
Prolific Puma’s domain names are characterized by
alphanumeric, pseudo-random combinations with variable lengths, typically spanning 3 to 4 characters. However, Infoblox has also observed Second-Level Domain (SLD) labels as long as 7 characters.
More About the Threat Actor
The threat actor has registered thousands of domains in the U.S. top-level domain (usTLD) since May 2023. These domains often use an email address referencing the song “OCT 33” by a psychedelic soul band called Black Pumas, specifically
blackpumaoct33@ukr[.]net.
The true identity and origins of Prolific Puma are still unknown. Multiple threat actors leverage this service to direct visitors to phishing and scam websites, present CAPTCHA challenges, and even lead them to other shortened links created by different services.
Image Description: A notional path depicting how a shortened URL interacts with DNS and the shortening service to redirect the victim to malicious content.
Infoblox has documented a phishing and malware attack wherein victims who click on a shortened link are redirected to a landing page that solicits personal information and payment, ultimately infecting their systems with browser plugin malware.
The case of Prolific Puma serves as a prime example of how the Domain Name System (DNS) can be exploited to support criminal activities while evading detection over an extended period.
Forward Thought
We must anticipate that threat actors like Prolific Puma will continue to adapt and refine their tactics. As technology evolves, so too will the methods of exploitation. Therefore, staying one step ahead must be our priority.
The story of Prolific Puma is a call to action to invest in robust DNS security measures.
PureVPN
November 2, 2023
2 years ago
