Question NextDNS client infected?

Please provide comments and solutions that are helpful to the author of this topic.

Kongo

Level 35
Thread author
Verified
Top Poster
Well-known
Feb 25, 2017
2,491
Just stumbled upon a thread in the NextDNS forum where someone states that the current NextDNS client installer drops a malicious payload. Anybody can take a closer look at it?

 

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,714
During the installation of a program, all this behaviour (including the one that is deemed as attack) is normal, there is nothing out of the ordinary there. I would still flag this thread for @struppigel but I don’t see any malicious payload or behaviour in this installer.

1-2 products that apparently have a very aggressive configuration on VT, such as Fortinet, detect heuristic threats. It’s not enough to even suspect anything.
 

7Oz-64

Level 1
Jan 16, 2023
27
Nothing wrong here :
Hash and VT.PNG


EEK.PNG


Gdata.PNG
 

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
841
If you are to believe the poster in that forum post the installer tries to use taskkill to disable AV, reads clipboard and installs a keylogger. Suspicious behaviour indeed, and if it is OilRig linked campaign then that is a well-known APT crew. It wouldn't surprise me as NextDns would be a prime target for APT crews to compromise. But someone somewhere should have noticed this earlier if it is indeed a breach/compromise and if the file is 4 months old so it's not new, unsure of the final verdict.
 

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,714
If you are to believe the poster in that forum post the installer tries to use taskkill to disable AV, reads clipboard and installs a keylogger. Suspicious behaviour indeed, and if it is OilRig linked campaign then that is a well-known APT crew. It wouldn't surprise me as NextDns would be a prime target for APT crews to compromise. But someone somewhere should have noticed this earlier if it is indeed a breach/compromise and if the file is 4 months old so it's not new, unsure of the final verdict.
That’s why tools like VT and various sandboxes are not used in real-time protection, as they will delete 90% of Windows and will leave just 5 pictures in the document folder.

What’s displayed as “keylogging” behaviour might be just attempts to capture keyboard shortcuts.

The AV strings might be for compatibility reasons, for example NextDNS might be applying special configurations to be compatible with antivirus software.

In the context of an installer and installed application such as NextDNS, there is nothing suspicious really. It will be suspicious if a PDF document attempts all that.
 

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
841
Your points are very valid and spot on, as I said if this has been around for 4 months then it would have been caught earlier you would think especially if it was OilRig threat actors, it's probably just paranoia at work by the forum poster. NextDns users would be the security conscious type, sometimes you try and find issues where there are none and find hacks/breaches when it's just a dumb app config or something innocuous. I guess with all the hacks/breaches lately it's impacted people's thinking, people expect hacks and think nothing is secure.

.
 

upnorth

Moderator
Verified
Staff Member
Malware Hunter
Well-known
Jul 27, 2015
5,459
infected by a threat actor from the middle east
Really!? With confusing correlation reference to a locked SOC report, Mitre basic info, and AnyRun samples that's from 2018, 2019 and 2020 with a Oilrig tag, all high detected btw, and the " supposed " related dropped files in the latest VT submission with 1 score/detections, this is a 100% conclusive assessment on a genuine, Oilrig attack?

200 (4).gif
 

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,714
Really!? With confusing correlation reference to a locked SOC report, Mitre basic info, and AnyRun samples that's from 2018, 2019 and 2020 with a Oilrig tag, all high detected btw, and the " supposed " related dropped files in the latest VT submission with 1 score/detections, this is a 100% conclusive assessment on a genuine, Oilrig attack?

View attachment 274590
You always make me laugh lol.

Not sure how it was even attributed and specially to Oilrig.
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,479
Either the poster is genuinely confused (I do not want to use the word dumb) and misinterpreted the rule vs the match or it is one of those repeated attempts from other DNS provides.

Like he is referring to the taskkill to be used to kill AV. No, it is used to kill NextDNS.exe so it can be updated.
 

Attachments

  • capture_04162023_103541.jpg
    capture_04162023_103541.jpg
    307 KB · Views: 99

Shadowra

Level 33
Verified
Top Poster
Content Creator
Malware Tester
Well-known
Sep 2, 2021
2,287
So a software that makes Taskill is necessarily a malware?
OK there is KillAV malware, but the antivirus software blocks it quickly and knows how to defend itself (Self-Defense).

For NextDNS, no detection with ESET up to date and Voodooshield.
(Sorry, my software is in French, it's my language)

Capture d’écran 2023-04-16 111820.png


Capture d’écran 2023-04-16 112009.png
 

Kongo

Level 35
Thread author
Verified
Top Poster
Well-known
Feb 25, 2017
2,491
So a software that makes Taskill is necessarily a malware?
OK there is KillAV malware, but the antivirus software blocks it quickly and knows how to defend itself (Self-Defense).

For NextDNS, no detection with ESET up to date and Voodooshield.
(Sorry, my software is in French, it's my language)

View attachment 274598

View attachment 274599
You forgot to update VoodooShield to the latest version. Thats even worse than the fact that the NextDNS installer could be infected. >_>
 

Trident

Level 28
Verified
Top Poster
Well-known
Feb 7, 2023
1,714
So a software that makes Taskill is necessarily a malware?


The original poster is not very knowledgeable and quickly saw behaviour which undoubtedly COULD be dangerous, just not in this context. This is why this behaviour alone can’t be used to create detections, it is not reliable, it will produce a lot of fps.

He is talking about this:
IMG_1359.jpeg


From there, he is quick to suppose that NextDNS is infected and he even pins it on a specific attacker. I would expect him soon to go and sue the “attacker”. Assuming much?

The dropped files he is referring to (with detection) are few shortcuts detected by a second-tier engine with low reliability (not Kaspersky, Eset, Bitdefender, Symantec). Obviously this detection means nothing.
 

Kongo

Level 35
Thread author
Verified
Top Poster
Well-known
Feb 25, 2017
2,491
The original poster is not very knowledgeable and quickly saw behaviour which undoubtedly COULD be dangerous, just not in this context. This is why this behaviour alone can’t be used to create detections, it is not reliable, it will produce a lot of fps.

He is talking about this:
View attachment 274602

From there, he is quick to suppose that NextDNS is infected and he even pins it on a specific attacker. I would expect him soon to go and sue the “attacker”. Assuming much?
And those are the only posts that he did on the NextDNS forum. Might actually be a hater or someone from the competition, but those are just assumptions.
 

Zero Knowledge

Level 20
Verified
Top Poster
Content Creator
Dec 2, 2016
841
And those are the only posts that he did on the NextDNS forum. Might actually be a hater or someone from the competition, but those are just assumptions.
I don't think he is a hater. You would use Twitter or Reddit to bash a competitor not the companies very own forum where they can censor and delete your post. I think he is just confused or misreading VT results, maybe he's new to the security world and has read one too many APT reports and the constant media headlines and attention of hacks and breachers has got to him and he's looking for things that are not there.
 

TairikuOkami

Level 35
Verified
Top Poster
Content Creator
Well-known
May 13, 2017
2,479
I don't think he is a hater. You would use Twitter or Reddit to bash a competitor not the companies very own forum where they can censor and delete your post.
NextDNS does not that, they are hardly active at all, considering it is just 2 people. There are regular posts on NextDNS forum and reddit to persuade people to move to a "better" DNS.
 

mlnevese

Level 26
Verified
Top Poster
Well-known
May 3, 2015
1,533
So what I get from that thread every is that every software that kills its active tasks when updating or reads for keyboard shortcut is malware. Wow! I had no idea my system was so heavily infected. All major security suite failed me! I'll ditch my computers and start using an abacus... :alien:
 
  • HaHa
Reactions: oldschool

likeastar20

Level 8
Verified
Mar 24, 2016
360
The Bitdefender engine used to detect the .lnk file as a FileRunner Trojan (old report from 1 month ago?) or something like that, but after doing the "Renalyze file" option in VT, it stopped. This is probably why he thought it was infected.
 
Last edited:

About us

  • MalwareTips is a community-driven platform providing the latest information and resources on malware and cyber threats. Our team of experienced professionals and passionate volunteers work to keep the internet safe and secure. We provide accurate, up-to-date information and strive to build a strong and supportive community dedicated to cybersecurity.

User Menu

Follow us

Follow us on Facebook or Twitter to know first about the latest cybersecurity incidents and malware threats.

Top