DNS Security Review

upnorth

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
The first example of additional techniques we’ve observed uses legitimate services to query IP assignments for malicious domains. By using these services, Trident Ursa is effectively bypassing DNS and DNS logging for the malicious domains.
Click to expand...
unit42.paloaltonetworks.com

Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine

Ukraine and its cyber domain has faced ever-increasing threats from Russia. We give an update on APT group Trident Ursa (aka Gamaredon).
unit42.paloaltonetworks.com unit42.paloaltonetworks.com
 
  • Like
  • +Reputation
  • Applause
Reactions: cryogent, Sorrento, roger_m and 7 others
TairikuOkami

TairikuOkami

Level 36
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,507
By using these services, Trident Ursa is effectively bypassing DNS and DNS logging for the malicious domains.
Click to expand...
Bypassing DNS Through a Messaging Service
Once opened, this .lnk shortcut uses mshta.exe
a loader that drops two files and eventually runs them as VBScripts using the wscript application.
Click to expand...
I am pretty sure that DNS would block C&C server, but still, I block social media on my main browser, mshta.exe is disallowed and WSH is disabled. Pretty lame malware.
 
  • Like
Reactions: Sorrento, roger_m, vtqhtr413 and 2 others
upnorth

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
Abuse of legit services is nothing brand new as for example Google Firebase is one of those.


Firebase Cloud Messaging

Firebase Cloud Messaging (FCM) is a cross-platform messaging solution that lets you reliably send messages at no cost.
firebase.google.com firebase.google.com

Here's a bit deeper analysis on the use of Firebase and this was already being done by attackers in 2020.


blog.talosintelligence.com

DoNot’s Firestarter abuses Google Firebase Cloud Messaging to spread

By Warren Mercer, Paul Rascagneres and Vitor Ventura. * The newly discovered Firestarter malware uses Google Firebase Cloud Messaging to notify its authors of the final payload location. * Even if the command and control (C2) is taken down, the DoNot team can still redirect the malware to...
blog.talosintelligence.com blog.talosintelligence.com
 
  • Like
  • Applause
Reactions: cryogent, Sorrento, vtqhtr413 and 4 others

Similar threads

Adrian Ścibor
    • Like
    • Thanks
    • +Reputation
AVLab.pl Recommended DNS servers – which ones are the fastest and best protect the user?
Replies
31
Views
5,048
Security Statistics and Reports
South Park
South Park
Gandalf_The_Grey
    • Like
    • +Reputation
    • Wow
Security News KeyTrap attack: Internet access disrupted with one DNS packet
Replies
0
Views
901
Security News
Gandalf_The_Grey
Gandalf_The_Grey
klepto
    • Like
Testing android Firewall apps: Netguard vs Rethink DNS +Firewall
Replies
2
Views
1,281
Other security for Android & iOS
ignoramous
I

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

Quick Navigation

Forum Rules Warning System Welcome Guide Two-factor Authentication

User Menu

Login

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top