DNS Security Review

upnorth

upnorth

Level 68
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
The first example of additional techniques we’ve observed uses legitimate services to query IP assignments for malicious domains. By using these services, Trident Ursa is effectively bypassing DNS and DNS logging for the malicious domains.
Click to expand...
unit42.paloaltonetworks.com

Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine

Ukraine and its cyber domain has faced ever-increasing threats from Russia. We give an update on APT group Trident Ursa (aka Gamaredon).
unit42.paloaltonetworks.com unit42.paloaltonetworks.com
 
  • Like
  • +Reputation
  • Applause
Reactions: cryogent, Sorrento, roger_m and 7 others
TairikuOkami

TairikuOkami

Level 37
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,633
By using these services, Trident Ursa is effectively bypassing DNS and DNS logging for the malicious domains.
Click to expand...
Bypassing DNS Through a Messaging Service
Once opened, this .lnk shortcut uses mshta.exe
a loader that drops two files and eventually runs them as VBScripts using the wscript application.
Click to expand...
I am pretty sure that DNS would block C&C server, but still, I block social media on my main browser, mshta.exe is disallowed and WSH is disabled. Pretty lame malware.
 
  • Like
Reactions: Sorrento, roger_m, vtqhtr413 and 2 others
upnorth

upnorth

Level 68
Verified
Top Poster
Malware Hunter
Well-known
Jul 27, 2015
5,458
Abuse of legit services is nothing brand new as for example Google Firebase is one of those.


Firebase Cloud Messaging

Firebase Cloud Messaging (FCM) is a cross-platform messaging solution that lets you reliably send messages at no cost.
firebase.google.com firebase.google.com

Here's a bit deeper analysis on the use of Firebase and this was already being done by attackers in 2020.


blog.talosintelligence.com

DoNot’s Firestarter abuses Google Firebase Cloud Messaging to spread

By Warren Mercer, Paul Rascagneres and Vitor Ventura. * The newly discovered Firestarter malware uses Google Firebase Cloud Messaging to notify its authors of the final payload location. * Even if the command and control (C2) is taken down, the DoNot team can still redirect the malware to...
blog.talosintelligence.com blog.talosintelligence.com
 
  • Like
  • Applause
Reactions: cryogent, Sorrento, vtqhtr413 and 4 others

Similar threads

X195
    • Like
Advice Request Help needed with DNS configuration
Replies
15
Views
959
AdGuard
Chuck57
Chuck57
Shadowra
    • +Reputation
    • Like
    • Thanks
App Review Cloudflare GateWay Threat Protection
Replies
4
Views
674
Video Reviews - Security and Privacy
Allego
Allego
NB InfoTech
    • Like
App Review Want to try? | Comodo Antivirus Test & Review | Comodo Internet Security vs Ransomware | 2024
Replies
4
Views
392
Video Reviews - Security and Privacy
bazang
bazang

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top