Security Sponsored Technology

Unmasking ShadowGate Threat Vectors with a WHOIS Database Download

Image courtesy of Pixabay

Anonymity is the name of the game when it comes to successfully carrying out a cybercrime. Even the means by which cyber thieves prefer to get paid—via cryptocurrencies—leaves practically no trace behind. Has the recent reemergence of the ShadowGate (also known as “WordsJS”) campaign with a cryptocurrency mining attack this time left cybersecurity experts and law enforcement agencies without a clue to go on?

The Case Facts

Using the Greenflash Sundown Exploit Kit, the ShadowGate gang, compromised vulnerable company servers worldwide so they could install a Monero cryptocurrency miner on these and all the systems and/or devices connected to them. This, of course, allowed them to generate Monero coins to line their pockets without using their own system resources.

The Risks That Come with the ShadowGate Cryptocurrency-Mining Attack and How WHOIS Database Downloads Can Help

Reports revealed that the gang used servers to serve targets the right exploit kit that would allow them into insufficiently protected networks and the cryptocurrency miner that would work with the systems or devices connected to it. Indicators of compromise (IoCs), including the domains where the threats originated from and the malware executables. Given all that, what can your company do so it doesn’t become the next cryptocurrency-mining attack victim?

The answer: Use a WHOIS database download that can be easily integrated into existing security solutions to cover all your bases, which we’ll get into one by one in this section.

Vulnerability Exploitation

Not all gangs are created equal. Most don’t have the infrastructure (servers and systems or devices) to carry out resource-hogging activities such as cryptocurrency mining. Note that mining for Monero or any other similar coins is not illegal. What makes it so is when you use someone else’s resources to do it, especially if this is unauthorized, as when you hack them.

When your company gets hit with a cryptocurrency-mining attack, your servers and all the systems and devices connected to them will rack up its electricity consumption by approximately 17 megajoules of computer power to generate a dollar’s worth of virtual coins. Not to mention the fact that coin mining can also slow down your operations, which is always detrimental to your success.

You don’t have to suffer that consequence though if you secure all your domains from vulnerability exploitation. To do that, you’ll first need a comprehensive list of all your servers, which you can obtain from a relatively complete WHOIS database download. This is especially hard to keep track of if your company has offices in various locations, which maintain their own domains. With the domain list in hand, you can make sure that all your servers have the latest patches and are protected by an effective vulnerability shielding solution so attackers can’t compromise them for their own use.

Unauthorized Access

Staying abreast of the latest security news is always beneficial. In an era where becoming a cyber attack victim is a matter of “when” and not “if,” knowing a threat’s source is already half the battle.

Armed with threat IoCs, you can look at your network traffic logs to see every domain that has accessed it. Sift through these and block their access so your servers, systems, and devices don’t end up serving the cryptocurrency-mining malware to your website and page visitors, especially if the attackers were able to bypass your security solutions.

Go a step further because you can’t really be too sure these days. Obtain a WHOIS database download that has an extensive list of gTLD domains. Look for all other domains related to the IoCs and block their access to your websites and pages too. That way, you can avoid the hassle of your domains being tagged as malicious.

Security is not a one-step process, unfortunately. It takes a combination of tools and tactics to ensure that your business is safe from online attacks. But if you don’t want to end up being used by cybercriminals and attackers for their nefarious schemes, you must take all the necessary precaution to do so. That includes making the most out of tools like WHOIS database downloads to enhance your threat intelligence and plug in holes that your security solutions may have left open for abuse.

About the author


Alex Francois

Alex Francois is Senior Content Manager at He is knowledgeable about technologies that permit tracking IP addresses and other relevant data to ensure better cybersecurity protection and marketing campaigns.