2014, DNS and Malware - Cyber Security Informer

Analyzing OilRig’s malware that uses DNS Tunneling

Security Affairs

APRIL 18, 2019

Iran-linked APT group OilRig is heavily leveraging on DNS tunneling for its cyber espionage campaigns, Palo Alto Networks reveals. Security researchers at Palo Alto Networks reported that Iran-linked APT group OilRig is heavily leveraging on DNS tunneling for its cyber espionage campaigns, Palo Alto Networks reveals.

DNS

DNS Malware Advertising Hacking

Godlua backdoor, the first malware that abuses the DNS over HTTPS (DoH)

Security Affairs

JULY 4, 2019

The peculiarity of this new piece of malware is the ability to communicate with C2 servers via DNS over HTTPS ( DoH ). The DoH protocol was a new standard proposed in October 2018 and it is currently supported by several publicly available DNS servers. Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->.

DNS

DNS Malware Advertising DDOS

Why Malware Crypting Services Deserve More Scrutiny

Krebs on Security

JUNE 21, 2023

If you operate a cybercrime business that relies on disseminating malicious software, you probably also spend a good deal of time trying to disguise or “crypt” your malware so that it appears benign to antivirus and security products. This story explores the history and identity behind Cryptor[.]biz WHO RUNS CRYPTOR[.]BIZ?

Malware

Malware Antivirus Cybercrime Hacking

DHS CISA urges government agencies to fix SIGRed Windows Server DNS bug within 24h

Security Affairs

JULY 17, 2020

US DHS CISA urges government agencies to patch SIGRed Windows Server DNS vulnerability within 24h due to the likelihood of the issue being exploited. The SigRed flaw was discovered by Check Point researcher Sagi Tzaik and impacts Microsoft Windows DNS. reads the analysis published by CheckPoint. ” states Krebs.

DNS

DNS Government Advertising Engineering

Microsoft fixes critical wormable RCE SigRed in Windows DNS servers

Security Affairs

JULY 14, 2020

The SigRed flaw was discovered by Check Point researcher Sagi Tzaik and impacts Microsoft Windows DNS. An attacker could exploit the SigRed vulnerability by sending specially-crafted malicious DNS queries to a Windows DNS server. Non-Microsoft DNS Servers are not affected.”

DNS

DNS Advertising Malware Hacking

Massive increase in XorDDoS Linux malware in last six months

Malwarebytes

MAY 25, 2022

XorDDoS, a Linux Trojan known for its modularity and stealth, was first discovered in 2014 by the white hat research group, MalwareMustDie (MMD). Based on a case study in 2015 , Akamai strengthened the theory that the malware may be of Asian origin based on its targets. MMD believed the Linux Trojan originated in China.

Malware

Malware IoT DDOS DNS

Hackers hijack D-Link and Linksys routers to point users to coronavirus-themed sites serving malware

Security Affairs

MARCH 26, 2020

The number of Coronavirus-themed attacks continues to increase, crooks hijack D-Link and Linksys routers to redirect users to sites spreading COVID19-themed malware. Crooks continue to launch Coronavirus-themed attacks , experts observed hackers hijacking D-Link and Linksys routers to redirect users to COVID19-themed sites spreading malware.

Malware

Malware DNS Advertising Cryptocurrency

Linksys force password reset to prevent Router hijacking

Security Affairs

APRIL 16, 2020

Linksys has reset passwords for all its customers’ after learning on ongoing DNS hijacking attacks aimed at delivering malware. Crooks continue to launch Coronavirus-themed attacks , in the last weeks, experts observed hackers hijacking D-Link and Linksys routers to redirect users to COVID19-themed sites spreading malware.

Passwords

Passwords DNS Malware Advertising

GhostDNS malware already infected over 100K+ devices and targets 70+ different types of home routers

Security Affairs

OCTOBER 1, 2018

Security experts from Qihoo 360 NetLab spotted GhostDNS, a malware that already infected over 100K+ devices and targets 70+ different types of routers. Security experts from Qihoo 360 NetLab have uncovered an ongoing hacking campaign that leverages the GhostDNS malware. ” reads the analysis published by the experts.

DNS

DNS Malware Firmware Phishing

German encrypted email service Tutanota suffers DDoS attacks

Security Affairs

SEPTEMBER 19, 2020

The popular encrypted email service Tutanota was hit with a series of DDoS attacks this week targeting its website fist and its DNS providers later. Encrypted email service, Tutanota suffered a series of DDoS attacks that initially targeted the website and later its DNS providers. “As a result these providers went down. .

DDOS

DDOS Encryption DNS Advertising

Who’s Behind the Botnet-Based Service BHProxies?

Krebs on Security

FEBRUARY 24, 2023

The Mylobot malware includes more than 1,000 hard-coded and encrypted domain names, any one of which can be registered and used as control networks for the infected hosts. The account didn’t resume posting on the forum until April 2014. 5, 2014 , but historic DNS records show BHproxies[.]com com on Mar.

Accountability

Accountability Advertising Marketing Malware

GoldenHelper, a new malware delivered via Chinese tax software

Security Affairs

JULY 15, 2020

Security researchers discovered another malware family delivered through tax software that some businesses operating in China are required to install. Security researchers at Trustwave have discovered another malware family delivered through tax software that Chinese banks require companies operating in the country to install.

Software

Software Malware Banking Advertising

French Firms Rocked by Kasbah Hacker?

Krebs on Security

MARCH 2, 2020

A large number of French critical infrastructure firms were hacked as part of an extended malware campaign that appears to have been orchestrated by at least one attacker based in Morocco, KrebsOnSecurity has learned.

DNS

DNS Penetration Testing Malware Hacking

OilRig APT uses Karkoff malware along with DNSpionage in recent attacks

Security Affairs

APRIL 24, 2019

Iran-linked OilRig cyberespionage group is using the reconnaissance malware Karkoff along with DNSpionage in recent campaigns. Iran-linked OilRig cyberespione group is using the reconnaissance malware Karkoff along with DNSpionage in recent campaigns. ” reads the analysis published by Talos. ” continues the experts.

Malware

Malware DNS Advertising Hacking

The return of the AdvisorsBot malware

Security Affairs

FEBRUARY 1, 2019

Security experts at Cybaze – Yoroi ZLab have analyzed a new sample of the AdvisorsBot malware, a downloader that was first spotted in August 2018. As usual, the malware looks like a legitimate e-mail attachment, named as “invoice.doc”. Figure 3 – Piece of VBS script that starts malware infection. DLL Analysis.

Malware

Malware DNS Social Engineering Advertising

Trend Micro observed notable malware activity associated with the Momentum Botnet

Security Affairs

DECEMBER 18, 2019

Security experts recently found notable malware activity affecting devices running Linux that is associated with the Momentum Botnet. Malware researchers from Trend Micro recently observed notable malware activity affecting devices running Linux that is associated with the Momentum Botnet. ” concludes the analysis.

Malware

Malware DDOS DNS Advertising

China-linked Winnti APT targets South Korean Gaming firm

Security Affairs

APRIL 22, 2020

” The malware sample employed in the attack resembled a Winnti dropper previously analyzed by ESET researcher that was submitted to a public online malware scanning service. The analysis of the configuration file of malware allowed the identification of the intended target. ” continues the report. Pierluigi Paganini.

DNS

DNS Malware Advertising Software

New Russian Language Malspam is delivering Redaman Banking Malware

Security Affairs

JANUARY 24, 2019

A still ongoing spam campaign that has been active during the last months has been distributing the Redaman banking malware. Experts at Palo Alto Networks continue to monitor an ongoing spam campaign that has been distributing the Redaman banking malware. Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->.

Banking

Banking Malware Advertising DNS

Nigerian Tesla: 419 scammer gone malware distributor unmasked

Malwarebytes

MAY 5, 2022

Agent Tesla is a well-known data stealer written in.NET that has been active since 2014 and is perhaps one of the most popular payloads observed in malspam campaigns. Based on these profiles, we can see this threat actor has an extensive criminal record starting at least from 2014. Test successful! ” from the same machine.

Malware

Malware Scams Phishing Accountability

TrickBot operators employ Linux variants in attacks after recent takedown

Security Affairs

OCTOBER 28, 2020

According to a new report published by researchers from security firm Netscout , TrickBot’s operators have started to use a new variant of their malware in an attempt to Linux systems and expand the list of its targets. “Often delivered as part of a zip, this malware is a lightweight Linux backdoor. Pierluigi Paganini.

DNS

DNS Banking Advertising IoT

Recent Roaming Mantis campaign hit hundreds of users worldwide

Security Affairs

APRIL 8, 2019

Kaspersky Lab reported that hundreds of users have been targeted with malware over the past month as part of a recent Roaming Mantis campaign. Security experts at Kaspersky Lab reported that hundreds of users have been targeted with malware over the past month as part of a new campaign associated with Roaming Mantis gang.

DNS

DNS Mobile Phishing Malware

Security Affairs - Untitled Article

Security Affairs

JULY 17, 2019

Threat actors used the Extembro DNS- changer Trojan in an adware campaign to prevent users from accessing security-related websites. Security experts at Malwarebytes observed an adware campaign that involved the Extembro DNS- changer Trojan to prevent users from accessing websites of security vendors. ” concludes the analysis.

Adware

Adware DNS Malware Advertising

New XBash malware combines features from ransomware, cryptocurrency miners, botnets, and worms

Security Affairs

SEPTEMBER 17, 2018

Palo Alto Network researchers discovered a new malware, tracked as XBash, that combines features from ransomware, cryptocurrency miners, botnets, and worms. Security researchers at Palo Alto Networks have discovered a new piece of malware, dubbed XBash piece that is targeting both Linux and Microsoft Windows servers.

Cryptocurrency

Cryptocurrency Malware Ransomware Cybercrime

Hundreds of Microsoft sub-domains open to hijacking

Security Affairs

MARCH 5, 2020

Security researchers demonstrated that hundreds of sub-domains belonging to Microsoft could potentially be hijacked and abused to deliver malware and for phishing attacks. Let’s consider mybrowser.microsoft.com, it might have resolved by the DNS to something like webserver9000.azurewebsites.net. azurewebsites.net.

DNS

DNS Phishing Advertising Malware

Chinese-speaking cybercrime gang Rocke changes tactics

Security Affairs

OCTOBER 15, 2019

The group has been observed using new tactics, techniques, and procedures (TTPs), it is also using updated malware to evade detection. “the actor moved away from hosting the scripts on dedicated servers and instead started to use Domain Name System (DNS) text records. Pierluigi Paganini.

Cybercrime

Cybercrime DNS Malware Advertising

DarkHydrus adds Google Drive support to its RogueRobin Trojan

Security Affairs

JANUARY 19, 2019

“This malware is a lure Excel document with name ‘???????.xlsm’. The final stage malware is a backdoor written in C#. According to the analysis made by malware researchers from Palo Alto Networks, the text file includes parts of a Windows Script Component (.SCT) The final stage malware is a backdoor written in C#.

DNS

DNS Penetration Testing Malware Advertising

For nearly a year, Brazilian users have been targeted with router attacks

Security Affairs

JULY 13, 2019

The campaign uncovered by Avast aimed at silently modifying the Brazilian users’ Domain Name System (DNS) settings to redirect victims to malicious websites mimicking legitimate ones. “ Malware then guesses routers’ passwords , which new research from Avast shows are often weak. ” reads a blog post published by Avast.

DNS

DNS Passwords Advertising Banking

Microsoft July 2020 Security Updates address 123 vulnerabilities

Security Affairs

JULY 15, 2020

“Today we released an update for CVE-2020-1350 , a Critical Remote Code Execution (RCE) vulnerability in Windows DNS Server that is classified as a ‘wormable’ vulnerability and has a CVSS base score of 10.0. This issue results from a flaw in Microsoft’s DNS server role implementation and affects all Windows Server versions.

DNS

DNS Advertising Engineering Internet

Hackers use hackers spreading tainted hacking tools in long-running campaign

Security Affairs

MARCH 10, 2020

“The threat actors behind this campaign are posting malware embedded inside various hacking tools and cracks for those tools on several websites. The domain started to be associated with malware around the time of the re-registration, however, it is unclear whether this Vietnamese individual has any ties to the malware campaign.”

Hacking

Hacking Malware Advertising DNS

HOW DO PROVIDERS IMPLEMENT INTERNET BLOCKING IN BELARUS?

Security Affairs

SEPTEMBER 23, 2020

Qurium analyzes the blocking implemented by four different operators in Belarus Belarus operators use their own infrastructure to implement the blocking Block techniques include transparent web proxies, injection of HTTP responses, stateless and stateful SSL DPI and fake DNS responses. Qurium forensics report: Internet blocking in Belarus.

Internet

Internet Internet DNS Advertising

Russia-linked APT Gamaredon starts stealing data from victims between 30 and 50 minutes after the initial compromise

Security Affairs

JULY 15, 2023

Gamaredon has been active since 2014 and its activity focus on Ukraine, the group was observed using the multistage backdoor Pteranodon / Pterodo. doc,docx,xls,xlsx,rtf,odt,txt,jpg,jpeg,pdf,ps1,rar,zip,7z,mdb) usually takes 30-50 minutes (usually with GAMMASTEEL malware).” ” states the alert published by CART-UA.

Social Engineering

Social Engineering DNS Accountability Malware

Cyber Defense Magazine – November 2020 has arrived. Enjoy it!

Security Affairs

NOVEMBER 4, 2020

Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->. Copyright (C) 2014 Media.net Advertising FZ-LLC All Rights Reserved -->. . Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->. Copyright (C) 2014 Media.net Advertising FZ-LLC All Rights Reserved -->.

InfoSec

InfoSec DNS Advertising Marketing

Winnti APT group uses skip-2.0 malware to control Microsoft SQL Servers

Security Affairs

OCTOBER 21, 2019

Security experts have a new malware, dubbed skip-2.0 Security experts at ESET have discovered a new malware, dubbed skip-2.0, malware was used by threat actors to establish a backdoor in MSSQL Server 11 and 12 servers, allowing them to access to any account on the server using a “magic password.” The skip-2.0

Malware

Malware Passwords Advertising DNS

Russia-linked APT28 has been scanning vulnerable email servers in the last year

Security Affairs

MARCH 20, 2020

Most of APT28s’ campaigns leveraged spear-phishing and malware-based attacks, the recent mass scanning activity represents a change in the modus operandi of the group. “This report aims to shed light on some of Pawn Storm’s attacks that did not use malware in the initial stages. Pierluigi Paganini.

Phishing

Phishing Accountability Advertising DNS

Conti Leak Indicators – What to block, in your SOC….

Security Affairs

AUGUST 6, 2021

If you are in doubt, check the subnets on [link] and look at known DNS entries to get an idea. For most organizations, the chance of false positives, when blocking these subnets, will be very low to non-existent. ’ Follow me on Twitter: @securityaffairs and Facebook. Pierluigi Paganini. SecurityAffairs – hacking, Conti ransomware).

Ransomware

Ransomware DNS Malware Hacking

Crooks use tainted Zoom apps to target users at home due to Coronavirus outbreak

Security Affairs

APRIL 2, 2020

“This piece of malware has components injected in the repackaged Zoom application,” The attacks observed by the researchers only did not involved the official Google Play. ddns.net:4444, which is a dynamic DNS service that allows a user with a dynamic IP address to map it to a subdomain. Pierluigi Paganini.

Mobile

Mobile Advertising DNS Malware

Iran-Linked OilRig APT group targets high-ranking office in a Middle Eastern nation

Security Affairs

SEPTEMBER 14, 2018

“BONDUPDATER, like other OilRig tools, uses DNS tunneling to communicate with its C2 server. The malware checks that only one instance of it is running at one time, it also locks files to determine how long the main PowerShell process has been executing. Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->.

DNS

DNS Phishing Government Malware

GALLIUM Threat Group targets global telcos, Microsoft warns

Security Affairs

DECEMBER 12, 2019

Experts pointed out that GALLIUM threat actors were using common versions of malware and publicly available tools with a few changes to evade detection. The operators leverage on low cost and easy to replace infrastructure using dynamic-DNS domains and regularly reused hop points. ” continues the analysis. Pierluigi Paganini.

Telecommunications

Telecommunications DNS Malware Advertising

FBI and Interpol shut down some servers of Joker’s Stash carding marketplace

Security Affairs

DECEMBER 19, 2020

The Joker’s Stash carding platform has been active since October 7, 2014, it focuses on the sale of stolen payment card details. At the time of this writing the Joker’s Stash’s.bazar,lib,emc,coin domains, which are all those accessible via blockchain DNS, are simply showing a “Server Not Found” message. .

DNS

DNS Cybercrime Hacking Information Security

Cisco fixes 34 High-Severity flaws in IOS and IOS XE software

Security Affairs

SEPTEMBER 25, 2020

Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->. Copyright (C) 2014 Media.net Advertising FZ-LLC All Rights Reserved -->. Two vulnerabilities can allow authenticated attackers with local access to the target devices to execute arbitrary code. Pierluigi Paganini. SecurityAffairs – hacking, DoS).

Software

Software DNS Wireless Advertising

InvisiMole group targets military sector and diplomatic missions in Eastern Europe

Security Affairs

JUNE 18, 2020

They use DNS tunneling for stealthier C&C communications, and place execution guardrails on the malicious components to hide the malware from security researchers.” Experts also observed attackers using a DNS downloader that was designed for long-term, covert access to the target machine. Pierluigi Paganini.

DNS

DNS Advertising Spyware Software

TeamTNT group adds new detection evasion tool to its Linux miner

Security Affairs

JANUARY 28, 2021

The TeamTNT botnet is a crypto-mining malware operation that has been active since April 2020 and that targets Docker installs. The libprocesshider open-source tool is available on Github since 2014 and is able to “hide a process under Linux using the ld preloader.” SecurityAffairs – hacking, malware).

Cryptocurrency

Cryptocurrency Cybercrime DNS Malware

China-Linked APT15 group is using a previously undocumented backdoor

Security Affairs

JULY 23, 2019

The attackers demonstrated an increasing level of sophistication across the years, they used custom-malware and various exploits in their attacks. “Second, we identified a previously undocumented malware family with strong links to the Ke3chang group – a backdoor we named Okrum. ” reads the report published by ESET.

DNS

DNS Malware Advertising Manufacturing

New Ttint IoT botnet exploits two zero-days in Tenda routers

Security Affairs

OCTOBER 5, 2020

Unlike other IoT DDoS botnets, Ttint implements 12 remote access functions such as Socket5 proxy for router devices, tampering with router firewall and DNS settings, executing remote custom system commands. ” ~ Copyright (C) 2014-2015 Media.net Advertising FZ-LLC All Rights Reserved -->. ” concludes the report.

IoT

IoT Firmware DNS Advertising

Analyzing OilRig’s malware that uses DNS Tunneling

Godlua backdoor, the first malware that abuses the DNS over HTTPS (DoH)

Trending Sources

Why Malware Crypting Services Deserve More Scrutiny

DHS CISA urges government agencies to fix SIGRed Windows Server DNS bug within 24h

Microsoft fixes critical wormable RCE SigRed in Windows DNS servers

Massive increase in XorDDoS Linux malware in last six months

Hackers hijack D-Link and Linksys routers to point users to coronavirus-themed sites serving malware

Linksys force password reset to prevent Router hijacking

GhostDNS malware already infected over 100K+ devices and targets 70+ different types of home routers

German encrypted email service Tutanota suffers DDoS attacks

Who’s Behind the Botnet-Based Service BHProxies?

GoldenHelper, a new malware delivered via Chinese tax software

French Firms Rocked by Kasbah Hacker?

OilRig APT uses Karkoff malware along with DNSpionage in recent attacks

The return of the AdvisorsBot malware

Trend Micro observed notable malware activity associated with the Momentum Botnet

China-linked Winnti APT targets South Korean Gaming firm

New Russian Language Malspam is delivering Redaman Banking Malware

Nigerian Tesla: 419 scammer gone malware distributor unmasked

TrickBot operators employ Linux variants in attacks after recent takedown

Recent Roaming Mantis campaign hit hundreds of users worldwide

Security Affairs - Untitled Article

New XBash malware combines features from ransomware, cryptocurrency miners, botnets, and worms

Hundreds of Microsoft sub-domains open to hijacking

Chinese-speaking cybercrime gang Rocke changes tactics

DarkHydrus adds Google Drive support to its RogueRobin Trojan

For nearly a year, Brazilian users have been targeted with router attacks

Microsoft July 2020 Security Updates address 123 vulnerabilities

Hackers use hackers spreading tainted hacking tools in long-running campaign

HOW DO PROVIDERS IMPLEMENT INTERNET BLOCKING IN BELARUS?

Russia-linked APT Gamaredon starts stealing data from victims between 30 and 50 minutes after the initial compromise

Cyber Defense Magazine – November 2020 has arrived. Enjoy it!

Winnti APT group uses skip-2.0 malware to control Microsoft SQL Servers

Russia-linked APT28 has been scanning vulnerable email servers in the last year

Conti Leak Indicators – What to block, in your SOC….

Crooks use tainted Zoom apps to target users at home due to Coronavirus outbreak

Iran-Linked OilRig APT group targets high-ranking office in a Middle Eastern nation

GALLIUM Threat Group targets global telcos, Microsoft warns

FBI and Interpol shut down some servers of Joker’s Stash carding marketplace

Cisco fixes 34 High-Severity flaws in IOS and IOS XE software

InvisiMole group targets military sector and diplomatic missions in Eastern Europe

TeamTNT group adds new detection evasion tool to its Linux miner

China-Linked APT15 group is using a previously undocumented backdoor

New Ttint IoT botnet exploits two zero-days in Tenda routers

Stay Connected