{ "Event": { "analysis": "2", "date": "2017-04-28", "extends_uuid": "", "info": "OSINT - Use of DNS Tunneling for C&C Communications", "publish_timestamp": "1493388289", "published": true, "threat_level_id": "3", "timestamp": "1493388237", "uuid": "590348da-977c-436f-ad6f-4ecb950d210f", "Orgc": { "name": "CIRCL", "uuid": "55f6ea5e-2c60-40e5-964f-47a8950d210f" }, "Tag": [ { "colour": "#ffffff", "name": "tlp:white" }, { "colour": "#5ca400", "name": "malware_classification:obfuscation-technique=\"tunneling\"" } ], "Attribute": [ { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1493388224", "to_ids": false, "type": "link", "uuid": "590348f2-1638-4871-9a44-41df950d210f", "value": "https://securelist.com/blog/research/78203/use-of-dns-tunneling-for-cc-communications/", "Tag": [ { "colour": "#001899", "name": "estimative-language:likelihood-probability=\"likely\"" }, { "colour": "#00223b", "name": "osint:source-type=\"blog-post\"" } ] }, { "category": "External analysis", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1493388224", "to_ids": false, "type": "text", "uuid": "5903493b-4e54-4a41-a012-91e5950d210f", "value": "Network communication is a key function for any malicious program. Yes, there are exceptions, such as cryptors and ransomware Trojans that can do their job just fine without using the Internet. However, they also require their victims to establish contact with the threat actor so they can send the ransom and recover their encrypted data. If we omit these two and have a look at the types of malware that have no communication with a C&C and/or threat actor, all that remains are a few outdated or extinct families of malware (such as Trojan-ArcBomb), or irrelevant, crudely made prankware that usually does nothing more than scare the user with screamers or switches mouse buttons.\r\n\r\nMalware has come a long way since the Morris worm, and the authors never stop looking for new ways to maintain communication with their creations. Some create complex, multi-tier authentication and management protocols that can take weeks or even months for analysists to decipher. Others go back to the basics and use IRC servers as a management host \u00e2\u20ac\u201c as we saw in the recent case of Mirai and its numerous clones.\r\n\r\nOften, virus writers don\u00e2\u20ac\u2122t even bother to run encryption or mask their communications: instructions and related information is sent in plain text, which comes in handy for a researcher analyzing the bot. This approach is typical of incompetent cybercriminals or even experienced programmers who don\u00e2\u20ac\u2122t have much experience developing malware.\r\n\r\nHowever, you do get the occasional off-the-wall approaches that don\u00e2\u20ac\u2122t fall into either of the above categories. Take, for instance, the case of a Trojan that Kaspersky Lab researchers discovered in mid-March and which establishes a DNS tunnel for communication with the C&C server.\r\n\r\nThe malicious program in question is detected by Kaspersky Lab products as Backdoor.Win32.Denis. This Trojan enables an intruder to manipulate the file system, run arbitrary commands and run loadable modules.", "Tag": [ { "colour": "#001899", "name": "estimative-language:likelihood-probability=\"likely\"" }, { "colour": "#00223b", "name": "osint:source-type=\"blog-post\"" } ] }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1493387622", "to_ids": true, "type": "md5", "uuid": "59034954-4a34-4050-8065-4799950d210f", "value": "facec411b6d6aa23ff80d1366633ea7a" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1493387622", "to_ids": true, "type": "md5", "uuid": "59034954-ef98-4519-a388-46b6950d210f", "value": "018433e8e815d9d2065e57b759202edc" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1493387622", "to_ids": true, "type": "md5", "uuid": "59034955-0b94-41e8-b659-45aa950d210f", "value": "1a4d58e281103fea2a4ccbfab93f74d2" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1493387622", "to_ids": true, "type": "md5", "uuid": "59034955-d724-4e43-af62-4ed6950d210f", "value": "5394b09cf2a0b3d1caaecc46c0e502e3" }, { "category": "Payload delivery", "comment": "", "deleted": false, "disable_correlation": false, "timestamp": "1493387622", "to_ids": true, "type": "md5", "uuid": "59034956-cf84-4aac-8830-439f950d210f", "value": "5421781c2c05e64ef20be54e2ee32e37" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 5421781c2c05e64ef20be54e2ee32e37", "deleted": false, "disable_correlation": false, "timestamp": "1493387625", "to_ids": true, "type": "sha256", "uuid": "59034969-7be4-4e97-a9f4-4c5c02de0b81", "value": "bb5114227ab5bb2e6bde5bcd876e437f72998ee88d27f7cbb15828c82666bef1" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 5421781c2c05e64ef20be54e2ee32e37", "deleted": false, "disable_correlation": false, "timestamp": "1493387626", "to_ids": true, "type": "sha1", "uuid": "5903496a-9848-4945-a9b8-44c702de0b81", "value": "1af72331e7e1c9cfc2f1f3f7b198068264430fbe" }, { "category": "External analysis", "comment": "- Xchecked via VT: 5421781c2c05e64ef20be54e2ee32e37", "deleted": false, "disable_correlation": false, "timestamp": "1493387626", "to_ids": false, "type": "link", "uuid": "5903496a-fffc-40c8-bd0f-4d9f02de0b81", "value": "https://www.virustotal.com/file/bb5114227ab5bb2e6bde5bcd876e437f72998ee88d27f7cbb15828c82666bef1/analysis/1489120629/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 5394b09cf2a0b3d1caaecc46c0e502e3", "deleted": false, "disable_correlation": false, "timestamp": "1493387626", "to_ids": true, "type": "sha256", "uuid": "5903496a-4238-4c8b-9d6b-466602de0b81", "value": "087ef9f7ce4681d49c6fa8842785fedef21461f160a34fc37c75fed26ddfa91e" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 5394b09cf2a0b3d1caaecc46c0e502e3", "deleted": false, "disable_correlation": false, "timestamp": "1493387627", "to_ids": true, "type": "sha1", "uuid": "5903496b-526c-4b14-b1f0-40e602de0b81", "value": "1fef52800fa9b752b98d3cbb8fff0c44046526aa" }, { "category": "External analysis", "comment": "- Xchecked via VT: 5394b09cf2a0b3d1caaecc46c0e502e3", "deleted": false, "disable_correlation": false, "timestamp": "1493387627", "to_ids": false, "type": "link", "uuid": "5903496b-458c-4267-83b7-453902de0b81", "value": "https://www.virustotal.com/file/087ef9f7ce4681d49c6fa8842785fedef21461f160a34fc37c75fed26ddfa91e/analysis/1490772409/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 1a4d58e281103fea2a4ccbfab93f74d2", "deleted": false, "disable_correlation": false, "timestamp": "1493387628", "to_ids": true, "type": "sha256", "uuid": "5903496c-7148-4de6-bb84-4a2a02de0b81", "value": "f5872f49943c39b73026fc3982b85330953a138cc27c23487a28103337bfdbb5" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 1a4d58e281103fea2a4ccbfab93f74d2", "deleted": false, "disable_correlation": false, "timestamp": "1493387628", "to_ids": true, "type": "sha1", "uuid": "5903496c-00b8-4fd9-8250-4b3802de0b81", "value": "1a2cd9b94a70440a962d9ad78e5e46d7d22070d0" }, { "category": "External analysis", "comment": "- Xchecked via VT: 1a4d58e281103fea2a4ccbfab93f74d2", "deleted": false, "disable_correlation": false, "timestamp": "1493387628", "to_ids": false, "type": "link", "uuid": "5903496c-8284-4ffd-94bb-4ac102de0b81", "value": "https://www.virustotal.com/file/f5872f49943c39b73026fc3982b85330953a138cc27c23487a28103337bfdbb5/analysis/1492046570/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 018433e8e815d9d2065e57b759202edc", "deleted": false, "disable_correlation": false, "timestamp": "1493387629", "to_ids": true, "type": "sha256", "uuid": "5903496d-1568-4141-8b0d-4f7602de0b81", "value": "12c2c3566c29f80478277e0f96b79fc85b9e86ebf16505d8f2d7877a6204f860" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: 018433e8e815d9d2065e57b759202edc", "deleted": false, "disable_correlation": false, "timestamp": "1493387629", "to_ids": true, "type": "sha1", "uuid": "5903496d-93e0-4829-b4ea-4ca502de0b81", "value": "c05451b0eb6246676dcf93f86be971004c40b631" }, { "category": "External analysis", "comment": "- Xchecked via VT: 018433e8e815d9d2065e57b759202edc", "deleted": false, "disable_correlation": false, "timestamp": "1493387629", "to_ids": false, "type": "link", "uuid": "5903496d-c4f8-42f6-a121-4f6702de0b81", "value": "https://www.virustotal.com/file/12c2c3566c29f80478277e0f96b79fc85b9e86ebf16505d8f2d7877a6204f860/analysis/1493377594/" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: facec411b6d6aa23ff80d1366633ea7a", "deleted": false, "disable_correlation": false, "timestamp": "1493387630", "to_ids": true, "type": "sha256", "uuid": "5903496e-7a44-4607-90ad-440202de0b81", "value": "155b13e582adeab564c60a1091b4dccc43ed78db290aa3e2da7e8bc1e039770c" }, { "category": "Payload delivery", "comment": "- Xchecked via VT: facec411b6d6aa23ff80d1366633ea7a", "deleted": false, "disable_correlation": false, "timestamp": "1493387630", "to_ids": true, "type": "sha1", "uuid": "5903496e-b240-47c9-94a4-497702de0b81", "value": "55beac11f0ee9049661ef9c35f52e226bc3035d0" }, { "category": "External analysis", "comment": "- Xchecked via VT: facec411b6d6aa23ff80d1366633ea7a", "deleted": false, "disable_correlation": false, "timestamp": "1493387631", "to_ids": false, "type": "link", "uuid": "5903496f-011c-4e8f-b442-4e8602de0b81", "value": "https://www.virustotal.com/file/155b13e582adeab564c60a1091b4dccc43ed78db290aa3e2da7e8bc1e039770c/analysis/1489419438/" } ] } }