A few of the MFA lookalike domains we've detected recently. These target a large bank in the Czech Republic (csob[.]sk):
csob-sso-sk[.]net, online-csob-sso-sk-moja[.]com, csob-sso-sk[.]com
Nice paper by AT&T on asyncRAT. We see a lot of domains from registered domain generation algoritihms (RDGAs), but not a ton of traditional DGAs these days… but this IS one! asyncRAT DGA is keeping a lower profile by not generating too many domain variants. We've seen 37 SLDs in our resolvers this month from the asyncRAT DGA, almost all of which were NXDOMAIN responses. Only 2ira57j063uauto[.]top resolved for us recently. We were blocking it already as suspicious. Pro tip: topTLD plus 15 char new domain.. block. ;)
But even more interesting is that with the actor using dedicated hosting through BitLaunch, we can see that aside from their DGA domains they have the sneaky lookalike:
akamai-cdn[.]top registered on Decemeber 18th. Block that one!