Heads Up! We discovered low profile malware DNS C2 beacons from a RAT that have persisted for a year, connecting to a Russian C2. It's not consumer devices. Actor setting up new domains still. More in my comments. Block these domains! claudfront[.]net, allowlisted[.]net, atlas-upd[.]com, ads-tm-glb[.]click, cbox4[.]ignorelist[.]com, hsdps[.]cc Infoblox #malware #infoblox #threatintelligence #threatintel #dns #dnssecurity The paper is now live here: https://lnkd.in/dk2zBHQH
Renée Burton
1y
we've been working this for over a week but some domains were already in our suspicious domains feed. will release a detailed paper late next week.
Renée Burton
1y
Malware community -- if you figure out anything from your perspective let me know! What we know is from our DNS vantage point.
Tom Lancaster
12mo
Hi Renee, I suspect these domains, or at least some of them, are not related to any malware, but are infact related to Palo Alto Networks’ Expanse product and its scanning of the internet. In particular, over the past year, we have identified numerous occasions where an _inbound_ HTTP request to a customer sensor has contained domains listed in your list, e.g. """ HTTP: GET uljxkwmlt23plf[redacted]bja9999.wu2[redacted]yw5qzji9.claudfront[.]net / HTTP/1.1 User-agent: Expanse, a Palo Alto Networks company, searches across the global IPv4 space multiple times per day to identify customers' presences on the Internet. If you would like to be excluded from our scans, please send IP addresses/domains to: scaninfo@paloaltonetworks.com """ There's no tie from the domain to PANW expanse that I can identfiy other than the User-Agent, but in the scenario where these domains were abused in some kind of DNS c2 mechanism these requests would make no sense. Obviously an attacker could be using the same domain for DNS c2 and placing that same domain in HTTP requests that they spam the internet with, but maybe there is a benign explanation relating to the PANW scanner instead.
Have a sample? I’d be happy to take a look
Joshua Clegg
1y
Is traffic to the domains consider an IoC?
The most unfortunate part of this post is how I'm unable to immediately copy the text on an Android device from the LinkedIn app. Is LI my new threat feed? Thank you thank you for contributing to any low-n-slow attacks.
Shelby M.
1y
Kyle Krejci Zack Hatfield 🔐 Is this the kind of stuff Pure Signal is looking for?
Will Thomas
1y
Would really enjoy it if these were added to something like a GitHub repo or gist and annotated
Head of Threat Intel. DNS all day, every day.
1ywhen you see examples you'll think: duh, that's obviously exfil... but in fact, finding this kind of activity is brutally hard. it is very low level profile that hides in the noise of DNS. that's why it can persist for so long.