Suspicious traffic to unusual site names in the .info TLD
One of my customer's systems has been connecting to unusual sites in the .info TLD. These are site names like:

expeditertruffleluxury.info
daresroutinebroadcast.info
fetalhydrantembroider.info
jumblejockeyhurler.info

The names all seem to be 3 long but obscure English words. They all have similar registration details, in particular the same registrar and creation date.

Domain Name: EXPEDITERTRUFFLELUXURY.INFO
Registry Domain ID: D503300000043619417-LRMS
Registrar WHOIS Server: whois.godaddy.com
Registrar URL: http://www.wildwestdomains.com
Updated Date: 2017-10-25T20:30:30Z
Creation Date: 2017-08-26T02:08:26Z
Registry Expiry Date: 2018-08-26T02:08:26Z

All resolved addresses point to blocks owned by "Hurricane Electric":
64.62.175.43/32
64.62.197.86/32
64.62.197.88/32
64.71.171.66/32
64.71.171.71/32
64.71.174.47/32
64.71.174.68/32
64.71.174.85/32
64.71.174.86/32
64.71.174.89/32
65.49.126.74/32
65.49.126.83/32
66.160.178.82/32
66.160.199.40/32
66.160.201.55/32
66.160.201.56/32
66.160.201.80/32
72.52.87.74/32
72.52.112.41/32
72.52.112.52/32
72.52.112.88/32
72.52.125.42/32
72.52.125.62/32
72.52.125.78/32
72.52.125.84/32
74.82.4.44/32
74.82.4.83/32
74.82.35.71/32
74.82.35.73/32
74.82.35.83/32
74.82.60.59/32
74.82.60.60/32
74.82.60.66/32
74.82.60.69/32
74.82.60.80/32

The traffic is all HTTPS encrypted.

Has anyone seen anything similar?
jauntysankey

7 Posts

Sign Up for Free or Log In to start participating in the conversation!