WhatsApp, doc?

We recently observed about 800 lookalike domains impersonating WhatsApp. These domains are all on the .com, .cc, and .cn TLDs and exhibit a few naming patterns:

Randomized short .cc domains:
- whatsqgs[.]cc, whatsqka[.]cc, whatsqys[.]cc

Structured .com domains:
- app-<3 letters>-whatshktw[.]com
- app-<3 letters>-whatsappcc[.]com

Structured .cn domains:
- <4 letters>-wahtsapp[.]cn

These domains were all created within the last 20 days, tops, and given the bulk registration and consistent infrastructure, point to a coordinated campaign. All 800+ domains are hosted in ASN 205960 (KR, 'IP Transit'), share the same nameserver domain (domainnamedns[.]com), and embed a highly-suspicious Chinese analytics loader from aizhantj[.]com (seriously, this thing is weird; check the references below). The sites present fake WhatsApp login/download portals in Chinese, suggesting East-Asian targeting.

Selection of IOCs
app-xfn-whatsappcc[.]com
app-xbb-whatsappcc[.]com
app-wum-whatshktw[.]com
ptjh-wahtsapp[.]com
kemc-wahstapp[.]cn
hzfv-wahstapp[.]cn
iiqu-wahstapp[.]cn
ggeu-wahstapp[.]cn
whatsyuy[.]cc
xjdp-wahstapp[.]cn
yaue-wahstapp[.]cn
zvxd-wahstapp[.]cn

References
https://urlscan.io/result/0199f335-4b61-76ca-851f-c832a7d5f9bd/#transactions (tj.js is the weird analytics GET request)
https://urlscan.io/result/0199f34a-e9a8-7788-a057-29a6c9a3f133 (the loader itself)
https://www.shodan.io/search?query=aizhantj.com

#infoblox #phishing #lookalikes #infosec #threatintel #dns #whatsapp