No Way to Hide: Uncovering New Campaigns from Daily Tunneling Detection
2024-10-5 05:0:3 Author: unit42.paloaltonetworks.com(查看原文) 阅读量:7 收藏

Executive Summary

This article reviews four previously undisclosed domain name system (DNS) tunneling campaigns that occurred in recent months. We identified these new campaigns through our recently deployed campaign monitoring system, which can identify new, potentially malicious campaigns from daily tunneling detection.

DNS tunneling is a technique threat actors use to encode non-DNS traffic data within DNS packet traffic. This allows the information to bypass traditional network firewalls and establish covert communication channels for data exfiltration and infiltration.

Our new campaign monitoring system is designed to detect tunneling domains based on the techniques and attributes commonly used in malicious campaigns. These unique intercorrelations among individual tunneling campaigns can reveal new tunneling domains.

For example, can attackers connect a new domain to any existing well-documented tunneling campaign? Do a couple of recently detected tunneling domains originate from an undisclosed campaign?

Hence, instead of investigating the tunneling domains individually, we seek to analyze these domains from the perspective of common attributes and quickly uncover new campaigns.

We have deployed this tunneling campaign monitoring system in our Advanced DNS Security service. This system allows organizations to secure their DNS traffic by identifying and blocking new potential campaigns from tunneling domains. It also provides detailed campaign information for customers who can log in to our Test A Site service.

Palo Alto Networks Next-Generation Firewall customers can access the tunneling campaign information with the Advanced DNS Security subscription and receive protections against malicious indicators (domains and IP addresses) mentioned in this article via Advanced URL Filtering. The Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of the IoCs shared in this research.

The Next-Generation Firewall with the Advanced Threat Prevention security subscription can help block the attacks with best practices by identifying the corresponding malware samples and command and control (C2) traffic.

Palo Alto Networks Cortex Analytics customers receive protection against DNS tunneling techniques mentioned in this article via the DNS tunneling analytics detector.

Cortex also helps protect against malware from the Hiloti family and others through features such as prevention for shellcode injection.

If you think you might have been compromised or have an urgent matter, contact the Unit 42 Incident Response team.

Related Unit 42 Topics DNS, C2

DNS Tunneling: An Overview

DNS is a critical component of the internet infrastructure responsible for translating human-readable domain names into IP addresses. Many organizations leave UDP and TCP port 53 open in their firewalls, which is the port DNS uses for communication. They also often leave this port unmonitored, making it an attractive target for attackers to use as a covert communications channel.

DNS tunneling leverages the DNS protocol to encode data within DNS queries and responses. Therefore, cyberattackers tend to use DNS tunneling for data exfiltration, command and control (C2), or bypassing security measures.

Illustration depicting the DNS query process involving a client system, an ISP DNS server, and a malicious server, with steps labeled using technical notations and domains.
Figure 1. The hidden information is transmitted via DNS tunneling attacks.

Figure 1 illustrates an example of covert communications using DNS tunneling techniques.

Attackers first infect a client system with malware that is able to steal the user’s data. Then, the stolen data is encoded and embedded within subdomains and is transmitted over DNS queries. The attackers can receive and decode the data by hosting an authoritative DNS (aDNS) server of the root domain (e.g., helloworld[.]com in Figure 1).

DNS tunneling can achieve stealthiness because the recursive DNS servers enable indirect communications between client systems and attacker-controlled authoritative DNS servers. Attackers are also able to transmit commands by encoding data into DNS responses.

Malicious actors also abuse DNS tunneling in attack campaigns. For example, the Iranian threat group Evasive Serpens (aka OilRig) employed DNS tunneling to communicate between infected hosts and their C2 servers, targeting critical infrastructure in the Middle East. Another Iranian threat group we track as Obscure Serpens (aka DarkHydrus) also used DNS tunneling when it targeted government agencies and educational institutions in the Middle East in 2016.

The detection of DNS tunneling has typically focused on the attributes of individual domains, such as lexical or infrastructure patterns. However, defenders often overlook additional attributes.

For example, correlations between tunneling domains can help us monitor significant clusters for tunneling detection and discover emerging campaigns. In this article, we reveal common attributes shared within individual campaigns that could facilitate automated detection of new DNS tunneling campaigns.

Based on these attributes, we have designed and deployed the first campaign monitoring system in our products. This system aims to automatically determine if a couple of historically detected tunneling domains originate from an undisclosed campaign, or if a new tunneling domain belongs to any existing well-documented campaign.

Attributes for Campaign Monitoring

This section presents methods that can identify new tunneling campaigns from daily tunneling detection results. Our detection relies on the fact that domains used in each individual tunneling campaign typically exhibit similar attributes because the same malicious actors registered the domains, or the campaigns used the same tunneling methods.

We discuss the common attributes we identified within each tunneling campaign. To the best of our knowledge, these distinctive intercorrelations among tunneling campaigns have not been fully studied previously.

The following attributes relate to infrastructure, configurations, lexical patterns and targets that could be shared across the tunneling domains in each campaign:

  • Authoritative nameserver: The nameservers used by tunneling campaigns are usually owned and controlled by attackers themselves, as attackers should have unrestricted access to fetch query logs and manipulate the response. To limit the attack cost, attackers tend to use a single self-hosted authoritative DNS server. This centralized server enables them to efficiently manage and process DNS traffic of multiple tunneling domains.
  • DNS configurations: In a single tunneling campaign, the DNS configurations used for each domain are usually similar or even identical. This is because the same attacker group sets and stores the configuration in the same aDNS server. The shared infrastructure settings allow attackers to effectively deploy and control the various domains in the campaign, but they also provide a significant indicator for security researchers. For instance, RussianSite and 8NS tunneling campaigns have their own DNS configuration pattern with a single aDNS IP address.
  • Payload encoding: To launch a tunneling campaign, attackers usually employ consistent tunneling tools or encoding methods to encapsulate their payload data into subdomains. Therefore, within a single campaign, the patterns of subdomains across various root domains often show significant similarities. This consistency helps attackers manage their C2 or data exfiltration processing. For example, RussianSite and NSfinder use the same encoding method within each campaign.
  • Domain registration: Domains used in individual campaigns frequently share the same top-level domain (TLD). Also, the associated root domains use a notably similar naming scheme, indicating a consistent choice made by the attacker group. Moreover, the registration time of these domains tends to align closely from their WHOIS records.
  • Attack target: Each tunneling campaign tends to target one or a few specific victim types (e.g., governments, public infrastructures, finance/banking/investments or health/medical care).

Based on the above criteria, we used machine learning techniques to explore the potential new campaigns among the detected tunneling domains.

New Campaigns

By focusing on the correlations between DNS tunneling domains, we detected four previously undiscovered campaigns. Each campaign shares some attributes from infrastructure, payloads, domain registration or targeted victims. We show the detailed case studies on these campaigns in this section.

FinHealthXDS

The first campaign contains 12 domains that use a customized DNS beaconing format for Cobalt Strike C2 communications. While Cobalt Strike has a default configuration for DNS C2 communications through a malleable C2 profile, this campaign leverages a customized format.

In this format, the associated DNS queries use three-letter prefixes (e.g., xds) to indicate the function of the queries used in this tunneling traffic. This campaign targets the finance and healthcare industries, thus we named it FinHealthXDS.

By analyzing the passive DNS records, we discovered this customized Cobalt Strike DNS beaconing format. This campaign uses the xds prefix to indicate command request queries and resolves to 40.112.72[.]205 as the IP address.

After obtaining the returned IP address such as 40.112.72[.]62, malware will calculate the XOR value of the last byte to determine the returned command. For example, 205 XOR 62 = 243, which typically indicates transferring data with TXT records (mode dns-txt command).

Below, we find two examples of DNS A record queries for transferring subsequent data using TXT records.

  • xds.5af195b6.gear.<rootdom> A 40.112.72[.]205
  • xds.5af195b6.gear.<rootdom> A 40.112.72[.]62

This campaign can use either A records or TXT records for an infected host to receive data. When using A records, the DNS queries follow a format with a customized prefix of pro (compared to the default value of cdn when using malleable C2 profiles for DNS beaconing in Cobalt Strike).

pro.[hex-counter][8-digit-hex-random-number].[beacon-id].[subdomain-padding].<rootdom> A [hex-infiltration-data]

When using TXT records for data infiltration, the DNS queries use the prefix snd instead of the default api prefix used in the malleable C2 for DNS beaconing in Cobalt Strike. An example of the format is shown below.

snd.[hex-counter][8-digit-hex-random-number].[beacon-id].[subdomain-padding].<rootdom> TXT [infiltration-data]

To exfiltrate data to a C2 server, the DNS queries leverage two prefixes (i.e., txt for short messages and del for long messages, not the default prefix of post). The format is as follows.

[txt|del].[num-of-message][encoded-message].[counter][random-number].[beacon-id].[subdomain-padding].<rootdom> A 40.112.72[.]205

Table 1 shows six domains in this campaign. It also shows the query samples, nameservers and nameserver IP addresses.

Domain Query Sample Nameserver Domains

Nameserver IP Addresses

foxxbank[.]com txt.1f0522f1e.3074aa20643.62c1b4ba.novel.foxxbank[.]com ns1.foxxbank[.]com

ns2.foxxbank[.]com

191.252.140[.]94

191.252.140[.]80

lifemedicalplus[.]net del.1214999ab.36f446b3e.4c820ef2.dns0.lifemedicalplus[.]net salad.liveritehealthcare[.]com 52.90.87[.]208
codeaddon[.]net txt.1a74140ad.4f2fa129ed.1ab3dfba.dns11.codeaddon[.]net content.codeaddon[.]net

gateway.codeaddon[.]net

jobs.codeaddon[.]net

188.114.96[.]3

44.197.246[.]120      3.89.115[.]116

healthproreview[.]com xds.db6bee2.thing.healthproreview[.]com pitch.healthproreview[.]com 54.242.65[.]191
familiesandfinance[.]com del.17b48a6a3831f07076b2d81677d87ad5d93df75b7.142fb5314.250feff6.hunt.familiesandfinance[.]com chance.familiesandfinance[.]com 18.116.41[.]255
soupandselfcare[].com pro.b4ed82f96.2c3e46fa.brain.soupandselfcare[.]com initiative.soupandselfcare[.]com 54.166.97[.]9

Table 1. The domain, query sample, nameservers and nameserver IP addresses in the campaign FinHealthXDS.

RussianSite

The second tunneling campaign contains over 100 domains, all of which share the same nameserver IP address of 185.161.248[.]253 from Russia. Most domains in this campaign end with the TLD .site, while only a very few of these domains use .website. Therefore, based on the aDNS IP address and the TLD patterns, we named this campaign RussianSite.

The subdomain contains two parts: a 5-character alphanumeric payload and a 1-letter or 2-letter padding that is specific in each domain. The A records of these campaign domains are distributed worldwide. However, to receive tunneling information from aDNS servers, configuring a valid aDNS IP address is mandatory for attackers, while A records are discretionary and could be invalid.

In Table 2 we listed examples of the domains, along with a query sample, nameservers and nameserver IP address. We have obfuscated the listed FQDN queries so no customer data is revealed.

We observed this campaign targeting 10 organizations from higher education. Of these 10 targets, five are governments and public infrastructure, four are medical/health institutions and one is a public accounting firm.

Domain Query Sample Nameserver Domains Nameserver IP Address
pretorya[.]site h3t5b.g.pretorya[.]site ns1.g.pretorya[.]site

ns2.g.pretorya[.]site

185.161.248[.]253
zzczloh[.]site ptqo1.p.zzczloh[.]site ns1.p.zzczloh[.]site

ns2.p.zzczloh[.]site

185.161.248[.]253
mouvobo[.]site jpdqo.n.mouvobo[.]site ns1.n.mouvobo[.]site

ns2.n.mouvobo[.]site

185.161.248[.]253
mponiem[.]site 6nesl.v.mponiem[.]site ns1.v.mponiem[.]site

ns2.v.mponiem[.]site

185.161.248[.]253
linkwide[.]site g49wo.y.linkwide[.]site ns1.y.linkwide[.]site

ns2.y.linkwide[.]site

185.161.248[.]253
dtodcart[.]site lv1bi.f.dtodcart[.]site ns1.f.dtodcart[.]site

ns2.f.dtodcart[.]site

185.161.248[.]253

Table 2. The domain, query sample, nameservers, nameserver IP address in the campaign RussianSite.

8NS

The third tunneling campaign contains six domains that share the same DNS configurations and aDNS server IP address of 35.205.61[.]67. A special pattern of this campaign is that each domain has 8 NS records. Therefore, we named this campaign 8NS.

However, instead of keeping redundancy of nameservers, all the NS records (i.e., ns[1-8].<rootdom>) have the same A record of 35.205.61[.]67.

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

<rootdom> NS ns1.<rootdom>

<rootdom> NS ns2.<rootdom>

<rootdom> NS ns3.<rootdom>

<rootdom> NS ns4.<rootdom>

<rootdom> NS ns5.<rootdom>

<rootdom> NS ns6.<rootdom>

<rootdom> NS ns7.<rootdom>

<rootdom> NS ns8.<rootdom>

ns[1-8].<rootdom> A 35.205.61[.]67

<rootdom> A 35.205.61[.]67

Meanwhile, the A record of the root domain is the same as the aDNS server IP address. That indicates the nameserver may be self-built, which is usually a premise for DNS tunneling. Below, Figure 2 shows a visual mapping of the 8NS campaign.

An infographic showing various network connections, along with interactions marked by arrows pointing between some entities. Additional flags of of the United States and Belgium indicate specific country-related connections.
Figure 2. The graph representation of the campaign 8NS.

This campaign is driven by multiple Trojans. For example, malware from the Hiloti family 0b99db286f3708fedf7e2bb8f24df1af13811fe46b017b6c3e7e002852479430, can contact the domain 011807dd0303[.]lantzel[.]com.

This Hiloti sample secretly downloads malicious files from a remote server and then injects the unpacked malware into explore[.]exe. The malware creates three registry entries under HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\Bfetipi or HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\Bfetipi, which a C2 domain generation algorithm uses to send client online messages to the C2 server through DNS queries, as depicted in Figure 3.

A screenshot of computer code with various functions and variables, including lines of code containing hexadecimal values and references to DNS requests.
Figure 3. Code from a Hiloti sample that sends DNS messages to a C2 server.

The generated domains are based on the information of infected systems, with a format such as the following:

0018786966.96428380.04.5E43287B03114C04A64F68C0C23E44F4.n.156.887.empty.6_1._t_i.3000.explorer_exe.156.rc2.a4h9uploading[.]com.

Let’s break down the encoding of each component from the above example:

  • 0018786966: Elapsed time
  • 96428380: Infected machine volume serial number XOR 0x3C2C3DB7
  • 04: Number of processor cores on the infected machine
  • 5E43287B03114C04A64F68C0C23E44F4: Generated from the registry key “Jqoqegemidar” and XOR algorithm
  • n: Indicator of a new process (n) or existing process (e), determined by mutex
  • 156: Value of registry key “Nwasolonizo
  • 887: Hard-coded value
  • empty: Hard-coded value
  • 6_1: OS information: OS major version (6) and minor version (1)
  • _t_i: Hard-coded
  • 3000: Current process security identifier (SID)
  • explorer_exe: Malware executing process name
  • 156: Hard-coded
  • rc2[.]a4h9uploading[.]com: Hard-coded domain

After sending a client online message, the malware starts C2 communication with the domain lantzel[.]com, which Figure 4 shows being decrypted during execution.

Screenshot of a computer screen displaying assembly language code and a hex dump, with a section highlighted showing ASCII text "l.a.n.t.z.e.l.c.o.m".
Figure 4. Disassembled code from a Hiloti sample showing that it decrypts the domain lantzel[.]com during execution.

We illustrate these six domains in the campaign 8NS, along with the query sample, nameservers and nameserver IP address in Table 3.

Domain Query Sample Nameserver Domains Nameserver IP Address
lantzel[.]com 080317e70613.lantzel[.]com ns1.lantzel[.]com

ns2.lantzel[.]com

ns3.lantzel[.]com

ns4.lantzel[.]com

ns5.lantzel[.]com

ns6.lantzel[.]com

ns7.lantzel[.]com

ns8.lantzel[.]com

35.205.61[.]67
unbeatableprice[.]us 029cd612cc2d9b9858aossoapcngb.unbeatableprice[.]us ns1.unbeatableprice[.]us

ns2.unbeatableprice[.]us

ns3.unbeatableprice[.]us

ns4.unbeatableprice[.]us

ns5.unbeatableprice[.]us

ns6.unbeatableprice[.]us

ns7.unbeatableprice[.]us

ns8.unbeatableprice[.]us

35.205.61[.]67
sosua[.]cz 0545326b975e.1400world.sosua[.]cz ns1.sosua[.]cz

ns2.sosua[.]cz

ns3.sosua[.]cz

ns4.sosua[.]cz

ns5.sosua[.]cz

ns6.sosua[.]cz

ns7.sosua[.]cz

ns8.sosua[.]cz

35.205.61[.]67
ns2000wip[.]com fkdmw402.ns2000wip[.]com ns1.ns2000wip[.]com

ns2.ns2000wip[.]com

ns3.ns2000wip[.]com

ns4.ns2000wip[.]com

ns5.ns2000wip[.]com

ns6.ns2000wip[.]com

ns7.ns2000wip[.]com

ns8.ns2000wip[.]com

35.205.61[.]67
dreyzek[.]com srv881.dreyzek[.]com ns1.dreyzek[.]com

ns2.dreyzek[.]com

ns3.dreyzek[.]com

ns4.dreyzek[.]com

ns5.dreyzek[.]com

ns6.dreyzek[.]com

ns7.dreyzek[.]com

ns8.dreyzek[.]com

35.205.61[.]67
avtomaty-bcg[.]online 001-zr6yarm4qwk4weuw.0zyywvutsrqp.avtomaty-bcg[.]online ns1.avtomaty-bcg[.]online

ns2.avtomaty-bcg[.]online

ns3.avtomaty-bcg[.]online

ns4.avtomaty-bcg[.]online

ns5.avtomaty-bcg[.]online

ns6.avtomaty-bcg[.]online

ns7.avtomaty-bcg[.]online

ns8.avtomaty-bcg[.]online

35.205.61[.]67

Table 3. The domain, query sample, nameservers and nameserver IP address in the campaign 8NS.

NSfinder

The fourth campaign contains over 50 domains. All domains are named by combining three words with the last word of finder (e.g., unlimitedpartnersfinder[.]com). The subdomains are composed of multiple similar segments, each of which contains a prefix ns500 and a number. Based on the root domain and subdomain patterns, we named this campaign NSfinder.

NSfinder is related to multiple malicious IP addresses, mainly from Europe. Each domain typically uses three IP addresses each time for both aDNS IP addresses and resolved IP addresses.

The IP addresses used by different domains have high overlapping. Also, we observe that attackers periodically change the IP address set for each domain, and the time to live (TTL) is only 60 seconds.

NSfinder performs attacks by setting up adult websites, and it lures victims to enter their credit card information. This campaign also correlates with multiple Trojans, such as IcedID.

For example, attackers frequently used the nameserver IP address 206.188.197[.]111 in the campaign to communicate with a malware sample with the SHA256 hash dfb3e5f557a17c8cdebdb5b371cf38c5a7ab491b2aeaad6b4e76459a05b44f28, identified as IcedID by different sources in VirusTotal. The nameserver IP address 185.81.114[.]183 communicated with the malware c22d25107e48962b162c935a712240c0a4486b38891855f0e53d5eb972406782, identified as RedLine stealer.

We observed this campaign having massive traffic within one month in 2023. The ns500 tokens have over a hundred variants, where the top tokens follow the distribution of English letters. We observed thousands of victims related to this campaign, mainly coming from high tech, education and manufacturing fields.

In Table 4, we list six domain examples with their query sample, nameservers and nameserver IP addresses.

Domain Query Sample Nameserver Domains Nameserver IP Addresses
yummyflingsfinder[.]com ns500505.ns500528.ns500505.ns500458.ns500528.ns500528.ns500528.ns500488.ns500488.ns500505.ns500476.ns500476.ns500440.ns500227.ns500209.yummyflingsfinder[.]com ns500583.yummyflingsfinder[.]com

ns500599.yummyflingsfinder[.]com

ns500631.yummyflingsfinder[.]com

185.81.114[.]183

185.176.220[.]212

88.119.169[.]205

piquantchicksfinder[.]com ns500458.ns500458.ns500505.ns500528.ns500528.ns500528.ns500458.ns500488.ns500505.ns500458.ns500476.ns500476.ns500488.ns500488.ns500440.ns500227.ns500209.piquantchicksfinder[.]com ns500583.piquantchicksfinder[.]com

ns500599.piquantchicksfinder[.]com

ns500631.piquantchicksfinder[.]com

185.81.114[.]183

185.176.220[.]212

88.119.169[.]205

yummyloversfinder[.]com ns500528.ns500458.ns500528.ns500505.ns500505.ns500505.ns500488.ns500505.ns500476.ns500458.ns500458.ns500458.ns500440.ns500288.ns500209.yummyloversfinder[.]com ns500505.yummyloversfinder[.]com

ns500488.yummyloversfinder[.]com

ns500458.yummyloversfinder[.]com

206.188.197[.]111

23.95.170[.]183

185.176.220[.]80

unlimitedpartnersfinder[.]com ns500505.ns500528.ns500505.ns500458.ns500505.ns500505.ns500505.ns500528.ns500528.ns500505.ns500476.ns500488.ns500488.ns500488.ns500488.ns500227.ns500209.unlimitedpartnersfinder[.]com ns500575.unlimitedpartnersfinder[.]com

ns500618.unlimitedpartnersfinder[.]com

ns500635.unlimitedpartnersfinder[.]com

5.149.255[.]21

141.94.37[.]182

193.142.59[.]198

lustypartnersfinder[.]com ns500414.ns500414.ns500414.ns500502.ns500414.ns500502.ns500485.ns500485.ns500511.ns500485.ns500502.ns500479.ns500414.ns500414.ns500478.ns500268.ns500168.lustypartnersfinder[.]com ns500313.lustypartnersfinder[.]com

ns500540.lustypartnersfinder[.]com

ns500634.lustypartnersfinder[.]com

188.119.148[.]82

109.205.214[.]13

51.89.16[.]177

juicyplaymatesfinder[.]com ns500501.ns500501.ns500291.ns500501.ns500525.ns500525.ns500525.ns500501.ns500292.ns500213.ns500213.ns500213.ns500291.ns500225.ns500197.juicyplaymatesfinder[.]com ns500291.juicyplaymatesfinder[.]com

ns500585.juicyplaymatesfinder[.]com

ns500643.juicyplaymatesfinder[.]com

185.176.220[.]151

79.141.165[.]176

51.83.172[.]83

Table 4. The domain, query sample, nameservers and nameserver IP addresses in the campaign NSfinder.

Conclusion

The domains within each tunneling campaign share some common attributes, such as the following:

  • Infrastructure
  • DNS configurations
  • Payload encoding
  • Domain registration patterns
  • Attack targets

These attributes enable us to identify significant clusters among the tunneling detection results so that we can discover the emerging tunneling campaigns.

This method of detection has revealed four new campaigns that we have described in this article and have named:

  • FinHealthXDS
  • RussianSite
  • 8NS
  • NSfinder

We have implemented these techniques as a new campaign monitoring system into our Advanced DNS Security service, providing campaign information and descriptions to our customers. With this system, we have detected four new campaigns from daily tunneling detection results.

The Next-Generation Firewall with the Advanced Threat Prevention security subscription can help block the attacks with best practices via the following Threat Prevention signature: 13033.

Customers can also receive protections against malicious indicators (domains, IP addresses) mentioned in this article via Advanced URL Filtering.

The Advanced WildFire machine-learning models and analysis techniques have been reviewed and updated in light of the IoCs shared in this research.

Palo Alto Networks Cortex Analytics customers receive protection against DNS tunneling techniques mentioned in this article via the DNS tunneling analytics detector.

Cortex also helps protect against malware from the Hiloti family and others through features such as prevention for shellcode injection.

If you think you might have been compromised or have an urgent matter, get in touch with the Unit 42 Incident Response team or call:

  • North America Toll-Free: 866.486.4842 (866.4.UNIT42)
  • EMEA: +31.20.299.3130
  • APAC: +65.6983.8730
  • Japan: +81.50.1790.0200

Palo Alto Networks has shared these findings with our fellow Cyber Threat Alliance (CTA) members. CTA members use this intelligence to rapidly deploy protections to their customers and to systematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.

Indicators of Compromise

Domains

  • avtomaty-bcg[.]online
  • codeaddon[.]net
  • dreyzek[.]com
  • dtodcart[.]site
  • foxxbank[.]com
  • healthproreview[.]com
  • juicyplaymatesfinder[.]com
  • lifemedicalplus[.]net
  • linkwide[.]site
  • lustypartnersfinder[.]com
  • mouvobo[.]site
  • mponiem[.]site
  • ns2000wip[.]com
  • piquantchicksfinder[.]com
  • pretorya[.]site
  • sosua[.]cz
  • soupandselfcare[].com
  • unlimitedpartnersfinder[.]com
  • yummyflingsfinder[.]com
  • yummyloversfinder[.]com
  • zzczloh[.]site

IP Addresses

  • 88.119.169[.]205
  • 185.161.248[.]253
  • 185.176.220[.]80
  • 185.176.220[.]212

Samples

  • 0b99db286f3708fedf7e2bb8f24df1af13811fe46b017b6c3e7e002852479430
  • c22d25107e48962b162c935a712240c0a4486b38891855f0e53d5eb972406782
  • c3a29c2457f33e54298a1c72a967aa161a96b0ae62ffbefe9e5e1c2057d7f3f4
  • dfb3e5f557a17c8cdebdb5b371cf38c5a7ab491b2aeaad6b4e76459a05b44f28

Additional Resources


文章来源: https://unit42.paloaltonetworks.com/detecting-dns-tunneling-campaigns/
如有侵权请联系:admin#unsafe.sh