DNS Security Review

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,449
The first example of additional techniques we’ve observed uses legitimate services to query IP assignments for malicious domains. By using these services, Trident Ursa is effectively bypassing DNS and DNS logging for the malicious domains.
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,437
By using these services, Trident Ursa is effectively bypassing DNS and DNS logging for the malicious domains.
Bypassing DNS Through a Messaging Service
Once opened, this .lnk shortcut uses mshta.exe
a loader that drops two files and eventually runs them as VBScripts using the wscript application.
I am pretty sure that DNS would block C&C server, but still, I block social media on my main browser, mshta.exe is disallowed and WSH is disabled. Pretty lame malware.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,449
Abuse of legit services is nothing brand new as for example Google Firebase is one of those.



Here's a bit deeper analysis on the use of Firebase and this was already being done by attackers in 2020.


 

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top