# Using the Silent Push app and API to find punycode domains **[silentpush.com/blog/using-the-silent-push-app-and-api-to-find-punycode-domains](https://www.silentpush.com/blog/using-the-silent-push-app-and-api-to-find-punycode-domains)** July 29, 2021 Jul 29 Written By [Martijn Grooten](http://10.10.0.46/blog?author=6085b1971ccba8696c78f75c) Yesterday, Yan Zhu, a security engineer for the privacy-focused Brave web browser, [tweeted about a domain impersonating Brave that was promoted through Google ads.](https://twitter.com/bcrypt/status/1420471176137113601) The domain was `bravė.com . Note the accent on the e, which distinguishes it from` ``` brave.com, the domain it was impersonating. ``` [This is an example of an Internationalized Domain Name (IDN), a domain name that](https://en.wikipedia.org/wiki/Internationalized_domain_name) includes non-ASCII characters. Such domains have an ASCII representation that starts with ``` xn-- and use punycode to convert from ASCII to unicode and vice versa. The ASCII ``` representation of the impersonating domain is `xn--brav-yva.com .` ----- When IDNs are used to impersonate existing domains, one speaks of a homograph or homoglyph attack. Other than the use of accents on Latin characters, this also includes using similar-looking characters from non-Latin alphabets, such as using the Greek α instead of the Latin a. Though not incredibly common in practice, such attacks do exist and security researchers have warned about them for more than a decade. The `bravė.com or` `xn--brav-yva.com domain was registered through NameCheap in` June and is hosted at `185.198.166.104, which belongs to ITLDC, a Bulgarian cloud` provider with servers in a number of countries. My first thought was to use the Silent Push app to see what else is hosted there. I found three more domain names, all IDNs: `xn--ldgr-xvaj.com,` `xn--sgnal-m3a.com` and `xn--teleram-ncb.com . The unicode representations of these domains are` ``` lędgėr.com, sīgnal.com and teleģram.com respectively, presumably impersonating ``` cryptocurrency wallet maker Ledger and messaging apps Signal and Telegram. (I say ‘presumably’ because `signal.com and` `telegram.com aren’t actually linked to the` respective messaging apps.) These other three domains were also registered at NameCheap. Using our passive DNS, I [found that none of the domains had been seen at another IP address, so I couldn’t pivot](https://www.silentpush.com/blog/pivoting-finding-malware-domains-without-seeing-malicious-activity) any further. However, I wondered if this actor could have hosted other domains at a different server. Assuming they’d also use the same registrar and hosting provider, I ran a search query in Silent Push’s API for domains starting with `xn-- using NameCheap’s name servers and` hosted on ITLDC’s ASN (AS21100). I found nine further domains. Two of them ( xn--80aaw7ah.com and `xn-` ``` -80ahcmbumt.org ) represent words in the Cyrillic alphabet and there is no reason to ``` assume they are used for anything malicious. The other seven, however, were all hosted on the same IP address ( 195.245.113.25 ) and all impersonate legitimate products, including once again Brave and Telegram: ----- The fake installer on `bravė.com that prompted this research was an ISO file that appears` [to contain a version of the Redline infostealer. That suggests it may be related to a](https://malpedia.caad.fkie.fraunhofer.de/details/win.redline_stealer) [campaign analysed by Morphisec last month, where Redline was also served packed inside](https://blog.morphisec.com/google-ppc-ads-deliver-redline-taurus-and-mini-redline-infostealers) an ISO through malicious Google ads, impersonating Telegram and other services. The domain names involved in that campaign were also registered through NameCheap. As for IDNs, there are [tools that help one find homograph attacks on an existing domain](https://github.com/evilsocket/ditto) name. However, it is through a comprehensive and easily searchable passive DNS database that one can find a bigger picture of the campaign using a homograph attack. ## Indicators ``` xn--brav-eva.com ``` ``` xn--brav-yva.com ``` ``` xn--flghtsimulator-mdc.com ``` ``` xn--ldgr-xvaj.com ``` ``` xn--screncast-ehb.com ``` ``` xn--sgnal-m3a.com ``` ``` xn--teleram-ncb.com ``` ``` xn--tlegram-w7a.com ``` ``` xn--torbrwser-zxb.com ``` ``` xn--tradingvew-8sb.com ``` ----- ``` xn--xodus-hza.com ``` ``` 185.198.166.104 ``` ``` 195.245.113.25 ``` Name * Thank you! [Martijn Grooten](http://10.10.0.46/blog?author=6085b1971ccba8696c78f75c) -----