Suspicious calls to testgvbgjbhjb.com

Question

On the last few days, one of our endpoints calls to testgvbgjbhjb.com the calls came from google chrome outside.

I used TCPView to find suspicious connections and check if there any unknown extension.

The owner of the domain made it a 127.0.0.1 record and set the next txt record:

"The owner of this domain does not know why your machine is reaching out to it. Owner saw suspicious traffic in multiple networks and bought it."

I read the next analysis but I can't find the cause of these calls.

Any Idea?

If you do a search, you will see that many people have been asking about this domain for a couple of days, and all references appear to mention Chrome as the client. — schroeder, Feb 22 '20 at 21:05
@schroeder I saw all of these posts but they don't offer any solution or updates. — F.Rahamim, Feb 22 '20 at 21:09
I couldn't find any solution either, but it means that it's seen broadly over a wide range and not specific to your environment. That points to a likely safe scenario. It *could* be a broad version of malware that has not been identified even though it is chatty and visible, but unlikely. My ***guess*** is that it's a Chrome or browser extension that has a test string that made it into production. — schroeder, Feb 22 '20 at 21:19

score 3 · Accepted Answer · answered Mar 06 '20 at 10:21

I have the solution.

I used the link of urlscan that wrote in the question and checked the HTTP tab. I clicked on the show response button

https://urlscan.io/result/14f59032-94ab-4b39-b7ef-1c0d33bc02f7/

I checked the response on each request and see a pop cash script.

<script type="text/javascript" src="//cdn.popcash.net/pop.js"></script>

This feature is a legitimate advertising service that website publishers use to generate revenue on their sites.

There are some adware programs that are injecting these ads onto web sites you visit, show automatically pop-ups and do user redirection to third websites in order to generate revenue.

I found an unwanted program in the OS, after the program uninstallation the calls were stopped.

Do you mind sharing what the "unwanted program in the OS" was? — Paul Masek, Aug 23 '22 at 15:27

score 1 · Answer 2 · answered Feb 22 '20 at 18:58

This traffic could potentially come from malware installed on the endpoint in question, trying to contact a Command & Control server.

It is possible that you will find connection attempts to more random-looking hostnames.

An increasing number of malware families implement a Domain Generation Algorithm, a scheme where random-looking hostnames of the C&C server are generated using a deterministic algorithm rather than harcoding one or more addresses within the malware.
The malware creator needs to register only one of these possible domain names to make their server reachable. If the domain name is blacklisted or suspended by law enforcement, the malware creator can simply pick a new one according to the algorithm and the malware will find it.

The purpose of this scheme is to prevent the list of possible server addresses to be extracted from a malware sample and be blacklisted or registered by law enforcement/anti-malware agents in advance.

Thanks for your response, by the way, and I didn't write it but the calls came from google chrome outside. — F.Rahamim, Feb 22 '20 at 19:10

Suspicious calls to testgvbgjbhjb.com

2 Answers2