One Step Ahead in Cyber Hide-and-Seek: Automating Malicious Infrastructure Discovery With Graph Neural Networks

Date: 01/15/2025

Severity: High

Summary

When executing large-scale attacks, threat actors often leave traces by reusing, rotating, or sharing parts of their infrastructure during campaign automation. Defenders can exploit this behavior by pivoting on known indicators to identify newer infrastructure. This article highlights the advantages of automated pivoting, showcasing three case studies that uncover new indicators. Using a network crawler and graph neural network (GNN), we analyzed relationships among domains to detect additional malicious artifacts.

Indicators of Compromise (IOC) List

Domains\Urls :

advanced-ip-sccanner.com

ipscanneronline.com

ipscannershop.com

myipscanner.com

myscannappo.com

myscannappo.info

myscannappo.online

theipscanner.com

correoparaguayo-myposta.top

correoparaguayo-mypostf.top

correoparaguayo-myposth.top

correoparaguayo-myposts.top

correoparaguayo-mypostvsa.top

correoparaguayo-mypostvsd.top

correoparaguayo-mypostvse.top

correoparaguayo-mypostvsf.top

correoparaguayo-mypostvsg.top

correoparaguayo-mypostvsh.top

correoparaguayo-mypostvsi.top

correoparaguayo-mypostvsl.top

correoparaguayo-mypostvsp.top

correoparaguayo-mypostvst.top

correoparaguayo-mypostvsu.top

correoparaguayo-mypostvsx.top

correoparaguayo-mypostvsy.top

correoparaguayo-mypostvsz.top

correosespe.top

correoseswe.top

correospanamaagobs-csc.top

correospanamaagobs-csd.top

correospanamaagobs-cse.top

correospanamaagobs-csr.top

correospanamaagobs-css.top

correospanamaagobs-csx.top

koreapostge.shop

koreapostma.shop

koreapostmk.shop

koreapostmv.shop

koreapostmx.shop

koreapostmz.shop

koreapostni.shop

koreapostnp.shop

koreapostnu.shop

koreapostpc.shop

koreapostpe.shop

koreapostpf.shop

koreapostpg.shop

koreapostpo.shop

koreapostpt.shop

koreapostpu.shop

koreapostpw.shop

koreapostst.shop

koreapostxb.shop

koreapostxn.shop

koreapostxt.shop

us-usos-qwtaa.top

us-usos-qwtad.top

us-usos-qwtaz.top

usps-supsrfvw.top

usps-supsrmuo.top

usps-supsrrne.top

usps-supsrrno.top

usps-supsrtys.top

uspsepsu.top

uspsftpr.top

uspsfugu.top

uspsgrjp.top

uspsntfj.top

uspstpar.top

uspsyeay.top

uspsygfk.top

byvlsa.com

cdn-google-tag.info

cdn-report.com

cdnreport.net

chatwareopenalgroup.net

cssjs.co

google-site-verification.com

jquerylib-min.net

jsmin.co

ns1.static5-jquery.com

ns2.static5-jquery.com

ssl-google-analytics.com

static5-jquery.com

staticlitycis.com

woocomnnerce.com

apps.guardiantrustbanks.us

capitalxpresslogistic.live.firstnationalbank.live

deutsche-chartered-bank.cloudswt.com

eurobank-stocks.us

eurobank-stockscom.com

ftp.pristineglobalinvestmentbank.com

gcorpfinbank.info

hgsgbank.com.nexcreditunion.com

inncbank.com.nexcreditunion.com

metropoliscapitalbank.us

oceansharebank.com

pristineglobalinvestmentbank.com

standardcharteredbank.live

truistcommercialbank.live.rhinoswiftdelivery.live

webmail.portal.guardiantrustbank.us

www.capitalxpresslogistic.live.firstnationalbank.live

www.deutsche-chartered-bank.cloudswt.com

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Domains\Urls 1 :	userdomainname like "correoparaguayo-mypostvst.top" or url like "correoparaguayo-mypostvst.top" or userdomainname like "ns1.static5-jquery.com" or url like "ns1.static5-jquery.com" or userdomainname like "koreapostni.shop" or url like "koreapostni.shop" or userdomainname like "webmail.portal.guardiantrustbank.us" or url like "webmail.portal.guardiantrustbank.us" or userdomainname like "myscannappo.com" or url like "myscannappo.com" or userdomainname like "correoparaguayo-mypostvsa.top" or url like "correoparaguayo-mypostvsa.top" or userdomainname like "correoparaguayo-mypostvsg.top" or url like "correoparaguayo-mypostvsg.top" or userdomainname like "koreapostmz.shop" or url like "koreapostmz.shop" or userdomainname like "correosespe.top" or url like "correosespe.top" or userdomainname like "uspstpar.top" or url like "uspstpar.top" or userdomainname like "myipscanner.com" or url like "myipscanner.com" or userdomainname like "correoparaguayo-mypostvsh.top" or url like "correoparaguayo-mypostvsh.top" or userdomainname like "koreapostpw.shop" or url like "koreapostpw.shop" or userdomainname like "koreapostst.shop" or url like "koreapostst.shop" or userdomainname like "correoseswe.top" or url like "correoseswe.top" or userdomainname like "koreapostpe.shop" or url like "koreapostpe.shop" or userdomainname like "usps-supsrrno.top" or url like "usps-supsrrno.top" or userdomainname like "correospanamaagobs-csc.top" or url like "correospanamaagobs-csc.top" or userdomainname like "usps-supsrtys.top" or url like "usps-supsrtys.top" or userdomainname like "uspsntfj.top" or url like "uspsntfj.top" or userdomainname like "eurobank-stockscom.com" or url like "eurobank-stockscom.com" or userdomainname like "correoparaguayo-mypostvsi.top" or url like "correoparaguayo-mypostvsi.top" or userdomainname like "koreapostpc.shop" or url like "koreapostpc.shop" or userdomainname like "cdn-google-tag.info" or url like "cdn-google-tag.info" or userdomainname like "us-usos-qwtaa.top" or url like "us-usos-qwtaa.top" or userdomainname like "woocomnnerce.com" or url like "woocomnnerce.com" or userdomainname like "ipscanneronline.com" or url like "ipscanneronline.com" or userdomainname like "myscannappo.online" or url like "myscannappo.online" or userdomainname like "apps.guardiantrustbanks.us" or url like "apps.guardiantrustbanks.us" or userdomainname like "advanced-ip-sccanner.com" or url like "advanced-ip-sccanner.com"
Domains\Urls 2 :	userdomainname like "ipscannershop.com" or url like "ipscannershop.com" or userdomainname like "correospanamaagobs-csd.top" or url like "correospanamaagobs-csd.top" or userdomainname like "jquerylib-min.net" or url like "jquerylib-min.net" or userdomainname like "cdnreport.net" or url like "cdnreport.net" or userdomainname like "oceansharebank.com" or url like "oceansharebank.com" or userdomainname like "staticlitycis.com" or url like "staticlitycis.com" or userdomainname like "pristineglobalinvestmentbank.com" or url like "pristineglobalinvestmentbank.com" or userdomainname like "correoparaguayo-myposth.top" or url like "correoparaguayo-myposth.top" or userdomainname like "correoparaguayo-mypostvsu.top" or url like "correoparaguayo-mypostvsu.top" or userdomainname like "correospanamaagobs-csx.top" or url like "correospanamaagobs-csx.top" or userdomainname like "koreapostge.shop" or url like "koreapostge.shop" or userdomainname like "koreapostpf.shop" or url like "koreapostpf.shop" or userdomainname like "usps-supsrfvw.top" or url like "usps-supsrfvw.top" or userdomainname like "uspsgrjp.top" or url like "uspsgrjp.top" or userdomainname like "usps-supsrrne.top" or url like "usps-supsrrne.top" or userdomainname like "ftp.pristineglobalinvestmentbank.com" or url like "ftp.pristineglobalinvestmentbank.com" or userdomainname like "correoparaguayo-myposts.top" or url like "correoparaguayo-myposts.top" or userdomainname like "koreapostmv.shop" or url like "koreapostmv.shop" or userdomainname like "koreapostpu.shop" or url like "koreapostpu.shop" or userdomainname like "uspsyeay.top" or url like "uspsyeay.top" or userdomainname like "static5-jquery.com" or url like "static5-jquery.com" or userdomainname like "correospanamaagobs-css.top" or url like "correospanamaagobs-css.top" or userdomainname like "www.capitalxpresslogistic.live.firstnationalbank.live" or url like "www.capitalxpresslogistic.live.firstnationalbank.live" or userdomainname like "koreapostpg.shop" or url like "koreapostpg.shop" or userdomainname like "jsmin.co" or url like "jsmin.co" or userdomainname like "eurobank-stocks.us" or url like "eurobank-stocks.us" or userdomainname like "metropoliscapitalbank.us" or url like "metropoliscapitalbank.us" or userdomainname like "koreapostmx.shop" or url like "koreapostmx.shop" or userdomainname like "www.deutsche-chartered-bank.cloudswt.com" or url like "www.deutsche-chartered-bank.cloudswt.com" or userdomainname like "uspsepsu.top" or url like "uspsepsu.top" or userdomainname like "myscannappo.info" or url like "myscannappo.info" or userdomainname like "standardcharteredbank.live" or url like "standardcharteredbank.live" or userdomainname like "koreapostxb.shop" or url like "koreapostxb.shop" or userdomainname like "correoparaguayo-mypostvsp.top" or url like "correoparaguayo-mypostvsp.top" or userdomainname like "cdn-report.com" or url like "cdn-report.com" or userdomainname like "chatwareopenalgroup.net" or url like "chatwareopenalgroup.net" or userdomainname like "us-usos-qwtad.top" or url like "us-usos-qwtad.top" or userdomainname like "google-site-verification.com" or url like "google-site-verification.com" or userdomainname like "correoparaguayo-mypostvsx.top" or url like "correoparaguayo-mypostvsx.top" or userdomainname like "gcorpfinbank.info" or url like "gcorpfinbank.info" or userdomainname like "correoparaguayo-mypostvsf.top" or url like "correoparaguayo-mypostvsf.top" or userdomainname like "correoparaguayo-mypostf.top" or url like "correoparaguayo-mypostf.top"
Domains\Urls 3 :	userdomainname like "correoparaguayo-myposta.top" or url like "correoparaguayo-myposta.top" or userdomainname like "theipscanner.com" or url like "theipscanner.com" or userdomainname like "correoparaguayo-mypostvsd.top" or url like "correoparaguayo-mypostvsd.top" or userdomainname like "correoparaguayo-mypostvse.top" or url like "correoparaguayo-mypostvse.top" or userdomainname like "correoparaguayo-mypostvsl.top" or url like "correoparaguayo-mypostvsl.top" or userdomainname like "correoparaguayo-mypostvsy.top" or url like "correoparaguayo-mypostvsy.top" or userdomainname like "correoparaguayo-mypostvsz.top" or url like "correoparaguayo-mypostvsz.top" or userdomainname like "correospanamaagobs-cse.top" or url like "correospanamaagobs-cse.top" or userdomainname like "correospanamaagobs-csr.top" or url like "correospanamaagobs-csr.top" or userdomainname like "koreapostma.shop" or url like "koreapostma.shop" or userdomainname like "koreapostmk.shop" or url like "koreapostmk.shop" or userdomainname like "koreapostnp.shop" or url like "koreapostnp.shop" or userdomainname like "koreapostnu.shop" or url like "koreapostnu.shop" or userdomainname like "koreapostpo.shop" or url like "koreapostpo.shop" or userdomainname like "koreapostpt.shop" or url like "koreapostpt.shop" or userdomainname like "koreapostxn.shop" or url like "koreapostxn.shop" or userdomainname like "koreapostxt.shop" or url like "koreapostxt.shop" or userdomainname like "us-usos-qwtaz.top" or url like "us-usos-qwtaz.top" or userdomainname like "usps-supsrmuo.top" or url like "usps-supsrmuo.top" or userdomainname like "uspsftpr.top" or url like "uspsftpr.top" or userdomainname like "uspsfugu.top" or url like "uspsfugu.top" or userdomainname like "uspsygfk.top" or url like "uspsygfk.top" or userdomainname like "byvlsa.com" or url like "byvlsa.com" or userdomainname like "cssjs.co" or url like "cssjs.co" or userdomainname like "ns2.static5-jquery.com" or url like "ns2.static5-jquery.com" or userdomainname like "ssl-google-analytics.com" or url like "ssl-google-analytics.com" or userdomainname like "capitalxpresslogistic.live.firstnationalbank.live" or url like "capitalxpresslogistic.live.firstnationalbank.live" or userdomainname like "deutsche-chartered-bank.cloudswt.com" or url like "deutsche-chartered-bank.cloudswt.com" or userdomainname like "hgsgbank.com.nexcreditunion.com" or url like "hgsgbank.com.nexcreditunion.com" or userdomainname like "inncbank.com.nexcreditunion.com" or url like "inncbank.com.nexcreditunion.com" or userdomainname like "truistcommercialbank.live.rhinoswiftdelivery.live" or url like "truistcommercialbank.live.rhinoswiftdelivery.live"

Reference:

https://unit42.paloaltonetworks.com/graph-neural-networks/

One Step Ahead in Cyber Hide-and-Seek: Automating Malicious Infrastructure Discovery With Graph Neural Networks

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Comments

One Step Ahead in Cyber Hide-and-Seek: Automating Malicious Infrastructure Discovery With Graph Neural Networks

Summary

Indicators of Compromise (IOC) List

Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

Tags

Share This

Comments