Search This Blog
Powered by Blogger.

Blog Archive

Labels

Footer About

Footer About

Labels

Load More
Trendy Right Now

Popular Posts

Showing posts with label DNS attacks. Show all posts
ETH Cyber Attacks
Advanced Social Engineering AI Phishing Attacks Cyber Security Cyberattacks DNS DNS attacks DNS Hijacking ETH Cyber Attacks

eth.limo DNS Hijack Thwarted By DNSSEC After Social Engineering Attack On EasyDNS

 

Unexpectedly, the ENS gateway known as eth.limo revealed a DNS hijack stemming from a social engineering scheme aimed at EasyDNS, its domain provider. Though settings shifted temporarily under unauthorized access, safeguards held firm throughout. Protection layers blocked harm, keeping user activity untouched during the episode. Compromise occurred at the registrar level - yet defenses prevented escalation beyond domain redirection. Hours after the incident started, a person pretending to be part of the eth.limo group tricked EasyDNS support into starting an account reset. 

Because of that mistaken trust, the intruder gained entry and altered where the domain pointed, shifting it first through servers at Cloudflare, then moving again toward Namecheap systems. Right away, automatic warnings went off once those shifts happened, which gave the real eth.limo members time to react fast. Their quick actions reversed the breach soon afterward. A single point of failure in eth.limo allowed it to act like a bridge, routing requests from regular browsers to data hosted on networks such as IPFS, Arweave, and Swarm. Because its DNS setup uses wildcards, countless .eth addresses rely on the same infrastructure - making them vulnerable when one part fails. 

Traffic meant for legitimate decentralized sites might instead flow toward harmful servers under attacker control. Notable resources, even those tied to figures like Vitalik Buterin, faced potential exposure should deception tactics have taken hold. Stopping the damage came down to DNS Security Extensions - called DNSSEC by many. Not through speed, but through verification: it checks DNS replies with digital signatures. Without access to the correct private keys, the hacker's fake entries could not pass these tests. Because validation failed, devices refused the corrupted data, showing failures rather than loading harmful pages. 

Though eth.limo and EasyDNS saw interference, they noted minimal reach due to this layer. To date, no individuals have faced consequences from the attempt. Surprisingly, EasyDNS spoke out after the event, calling it their initial customer-targeted social engineering success in almost thirty years. Following this, improvements to internal procedures are underway. Instead of old methods, eth.limo will shift to a tighter system - one without recovery pathways. That change aims to block repeat incidents. 

Over time, weaker entry points may fade. Security evolves differently now. Most recent cases show similar patterns across decentralized services. Though blockchains themselves stay distributed and protected, the websites people actually visit run on standard domain setups. These entry points open doors hackers are now using more frequently. Instead of breaking encryption, they shift traffic by manipulating DNS records. Users get sent elsewhere without noticing - sometimes losing assets quickly. Security layers matter more than ever, shown clearly by what happened with eth.limo. 

Even when human manipulation tricks succeed, safeguards such as DNSSEC often stop further damage. Because digital dangers keep changing shape, companies - especially in cryptocurrency - now pay closer attention to protecting not just blockchain networks but also the traditional services people rely on to reach them.
Read more »
Social Engineering
DLL DNS attacks Emails malware Microsoft Teams Social Engineering

Fake IT Support on Microsoft Teams Used to Deliver New A0Backdoor Threat

 


A contemporary cyber campaign has been identified where attackers are using Microsoft Teams to target employees in financial and healthcare organizations, eventually infecting systems with a newly observed malware known as A0Backdoor.

Research from BlueVoyant shows that the attackers rely heavily on social engineering. They begin by overwhelming an employee’s inbox with large volumes of spam emails. Soon after, they contact the same individual on Microsoft Teams, pretending to be part of the company’s IT support team and offering help to resolve the issue. This sequence is designed to build trust and make the request appear routine.

Once the victim is convinced, the attacker asks them to start a remote session using Quick Assist, a built-in Windows feature meant for remote troubleshooting. After access is granted, the attacker delivers a set of malicious tools through MSI installer files. These installers are digitally signed and hosted on a personal Microsoft cloud storage account, which helps them appear legitimate at first glance.

The researchers found that these MSI files are disguised as familiar Microsoft-related components, including Microsoft Teams elements and CrossDeviceService, a real Windows service used by the Phone Link application. This naming strategy helps the files blend in with normal system processes.

To execute the attack, the threat actor uses a technique called DLL sideloading. This involves running trusted Microsoft programs to load a malicious file named hostfxr.dll. Inside this file is data that is either compressed or encrypted. When the file is loaded into memory, it decrypts this data into shellcode and begins execution.

The malware also uses the CreateThread function to generate multiple threads. This behavior is not meant to improve performance but to make analysis harder. According to the researchers, creating too many threads can cause debugging tools to crash, even though it does not noticeably affect normal system activity.

After execution begins, the shellcode checks whether it is running inside a sandbox environment, which is commonly used by security analysts. If no such environment is detected, it proceeds to create a cryptographic key derived from SHA-256. This key is then used to decrypt the A0Backdoor payload, which is protected using AES encryption.

Once decrypted, the malware moves itself to a different region in memory and activates its main functions. It collects system-level information using Windows API calls such as DeviceIoControl, GetUserNameExW, and GetComputerNameW. This allows it to identify and profile the infected machine.

For communication with its operators, the malware avoids traditional methods and instead uses DNS traffic. It sends DNS MX queries that contain encoded data within complex subdomains to public recursive DNS servers. The responses it receives include MX records that carry encoded instructions. The malware extracts the relevant part of the response, decodes it, and then follows the commands.

Researchers explain that using MX records helps the traffic appear normal, making it harder to detect compared to other DNS-based techniques, especially those that rely on TXT records, which are more commonly monitored.

The campaign has already targeted at least two organizations, including a financial institution in Canada and a global healthcare company.

BlueVoyant assesses with moderate to high confidence that this activity builds on methods previously linked to the BlackBasta group. Although that group reportedly shut down after internal chat logs were leaked, parts of its approach appear to be continuing in this operation.

At the same time, the researchers point out that several elements in this campaign are new. These include the use of signed MSI installers, the A0Backdoor malware itself, and the use of DNS MX records for command-and-control communication.

This case reflects how attackers are adapting their methods by combining trusted tools, familiar platforms, and layered techniques to bypass detection.

Read more »
Malware Attack
AI Models AI Prompt AI prompt injection attack Cyber Security cybercriminals DNS DNS attacks DNS Hacking DOH DoT Hacker attack Malware Attack

Hackers Use DNS Records to Hide Malware and AI Prompt Injections

 

Cybercriminals are increasingly leveraging an unexpected and largely unmonitored part of the internet’s infrastructure—the Domain Name System (DNS)—to hide malicious code and exploit security weaknesses. Security researchers at DomainTools have uncovered a campaign in which attackers embedded malware directly into DNS records, a method that helps them avoid traditional detection systems. 

DNS records are typically used to translate website names into IP addresses, allowing users to access websites without memorizing numerical codes. However, they can also include TXT records, which are designed to hold arbitrary text. These records are often used for legitimate purposes, such as domain verification for services like Google Workspace. Unfortunately, they can also be misused to store and distribute malicious scripts. 

In a recent case, attackers converted a binary file of the Joke Screenmate malware into hexadecimal code and split it into hundreds of fragments. These fragments were stored across multiple subdomains of a single domain, with each piece placed inside a TXT record. Once an attacker gains access to a system, they can quietly retrieve these fragments through DNS queries, reconstruct the binary code, and deploy the malware. Since DNS traffic often escapes close scrutiny—especially when encrypted via DNS over HTTPS (DOH) or DNS over TLS (DOT)—this method is particularly stealthy. 

Ian Campbell, a senior security engineer at DomainTools, noted that even companies with their own internal DNS resolvers often struggle to distinguish between normal and suspicious DNS requests. The rise of encrypted DNS traffic only makes it harder to detect such activity, as the actual content of DNS queries remains hidden from most monitoring tools. This isn’t a new tactic. Security researchers have observed similar methods in the past, including the use of DNS records to host PowerShell scripts. 

However, the specific use of hexadecimal-encoded binaries in TXT records, as described in DomainTools’ latest findings, adds a new layer of sophistication. Beyond malware, the research also revealed that TXT records are being used to launch prompt injection attacks against AI chatbots. These injections involve embedding deceptive or malicious prompts into files or documents processed by AI models. 

In one instance, TXT records were found to contain commands instructing a chatbot to delete its training data, return nonsensical information, or ignore future instructions entirely. This discovery highlights how the DNS system—an essential but often overlooked component of the internet—can be weaponized in creative and potentially damaging ways. 

As encryption becomes more widespread, organizations need to enhance their DNS monitoring capabilities and adopt more robust defensive strategies to close this blind spot before it’s further exploited.
Read more »
IP Address
CNAME Cyber Security Cyberattacks CyberCrime CyberThreat DNS attacks Fast Flux IP Address

Fast Flux Technique Identified as Growing Risk to US Cyber Infrastructure

 


A sophisticated cybercriminal technique called fast flux is being increasingly employed by cybercriminals, which is causing heightened concerns among intelligence agencies and cybersecurity agencies throughout the world. 

It has been reported in April 2025 that the United States National Security Agency (NSA), in conjunction with allied organizations, has issued a joint cyber advisory warning that fast flux poses a serious threat to national security, as a result of the use of fast flux. As per the advisory, using this technique allows both criminals and state-sponsored threat actors to create command-and-control infrastructures (C2) that are highly resistant to detection and disruption, and that are very difficult to detect or disrupt. 

As a result, the IP addresses of malicious domains are frequently rotated through a network of compromised systems, known as botnets, to create a continuous flow of malicious IP addresses. Defending against cyberattacks is extremely challenging due to the constant flux of IP addresses. This makes it extremely difficult for defenders to identify, track, or block the infrastructure supporting those attacks. 

Therefore, adversaries can conceal their actions and maintain persistent access to targeted systems and networks. It was noted by the National Intelligence Agency that this technique has been employed to facilitate a wide range of malicious operations, such as cyber espionage, phishing schemes, ransomware deployments, and other forms of cybercrime as well. As fast flux is increasingly being adopted by threat actors, it underscores the need for advanced defensive measures, as well as increased international collaboration, in the fight against emerging cyber threats. 

Fast flux is a DNS-based obfuscation technique increasingly used by cybercriminals to evade detection and disrupt conventional security measures to avoid detection. This method of cloaking the true location of malicious servers, as it rapidly alters the IP addresses associated with a domain name, makes it very difficult for cybersecurity teams to identify and eliminate malicious servers. 

By utilizing DNS's dynamic nature, the technique can keep malicious infrastructure running smoothly even when individual IP addresses and servers are discovered and taken down, while utilizing DNS's dynamic nature. It has been found that fast flux can be divided into two distinct types: single flux and double flux. A single flux is defined as a continuous rotation of the IP addresses associated with a domain name. This process usually draws from a large pool of compromised machines to maintain the integrity of the domain name. 

A double flux adds to this complexity by rotating the authoritative name servers as well, further complicating the infrastructure and making tracking harder. By taking advantage of this dynamic and distributed approach, attackers can build highly resilient command-and-control networks based on a global network of infected devices that are capable of maintaining operations for a long time. 

It is a variant of fast flux that introduces a layer of obfuscation and network resiliency to the network by rotating not only the IP addresses that point to a malicious domain, but also the DNS name servers that conduct domain lookups. Double flux adds a level of obfuscation and network resilience. As a result of this method, it becomes much more challenging for cybercriminals to track and dismantle their networks. 

As a result of security analysis, it has been found that DNS records from both Name Server (NS) and Canonical Name (CNAME) are used in double flux configurations, making it even more difficult to trace the root cause of malicious activity. According to a recent advisory issued on Thursday, both single flux and double flux techniques make use of vast networks of compromised hosts that act as proxies and relays, commonly called botnets. 

Consequently, network defenders are unable to identify, block, or pursue legal actions against the infrastructure supporting cyberattacks because of this distributed architecture. Fast flux, with its persistence and evasiveness, has become one of the most popular tactics among cybercriminals as well as government agencies and foreign governments alike. In the world of cyber threats, it has proven its strategic value and prevalence as well as its increasing prevalence. 

To differentiate themselves within the illegal marketplace, bulletproof hosting services, which are geared specifically towards criminal enterprises, use fast flux as part of their operation to harden their operations and distinguish themselves from their competitors. Several ransomware groups, such as Hive and Nefilim, have implemented fast flux into their campaigns to retain control over their infrastructure while avoiding detection by the authorities. 

Moreover, it has been documented that Russian-backed Gamaredon, a group of threat actors associated with the Kremlin, used the technique as part of their cyber espionage activities, highlighting its appeal to state-allied actors involved in geopolitical cyber operations. Cybersecurity experts recommend that a multifaceted defence strategy be developed to prevent fast flux from posing any threat. 

Several key measures include blocking known malicious IP addresses, sinkholing suspicious domains for disruptions in attacker communications, filtering traffic according to domain reputation, and training targeted users about phishing techniques and social engineering. It is crucial to monitor DNS activity constantly for anomalies or strange patterns to detect fast flux networks in advance of their ability to inflict significant damage. 

As a result of fast flux deployment, command-and-control (C2) communications are not the only applications that can be made use of to maintain command-and-control communications—it can also play a crucial role in enabling phishing campaigns by making malicious websites used to conduct social engineering attacks much more difficult to detect, block, or compromise. This method of attack enables phishing infrastructure to persist more effectively by rotating IP addresses and obscuring server locations, giving hackers greater ease in bypassing traditional filtering and takedown mechanisms. 

Furthermore, bulletproof hosting providers are increasingly promoting fast flux as a distinguishing feature in their services, since they can offer resilient and anonymous infrastructure to criminals. A fast flux service provider markets itself as providing a value-added capability that enhances the effectiveness and survivability of malicious operations, such as malware distribution, credential theft, and ransomware deployment. 

In April 2025, a coalition of international cybersecurity authorities issued a joint Cybersecurity Advisory (CSA) to address the growing threats posed by fast-flux networks. As part of the advisory, the U.S. National Security Agency (NSA), the Cybersecurity and Infrastructure Security Agency (CISA), and the Federal Bureau of Investigation (FBI) have collaborated. 

Among the Australian Signals Directorate's Australian Cyber Security Centre (ASD's ACSC), the Canadian Centre for Cyber Security (CCCS), and the National Cyber Security Centre for New Zealand (NCSC-NZ), there is the Australian Signals Directorate's Australian Cyber Security Centre. As a result of the collaborative effort, it has been made clear that fast flux techniques have global implications and that cross-border coordination is essential to combating this evolving cyber threat. 

As a result of the growing threat of fast flux techniques, the participating agencies are strongly recommending implementing a comprehensive, multilayered defence strategy so that attacks are detected and mitigated accordingly. It is important to utilise real-time threat intelligence feeds to identify suspiciously short DNS record lifespans. Furthermore, anomaly detection across DNS query logs can be implemented, along with DNS record time-to-live (TTL) values being analysed to identify anomalies. 

Network flow data can also help in the early detection of malicious activity, as it can be used as an indicator to identify inconsistent IP geolocations and irregular communication patterns. According to the advisory, several critical mitigation strategies can be used to protect enterprises and organisations from cyber threats. These include blocking domains and IP addresses, reputational filtering of DNS traffic, monitoring and logging of network activity, and educating users about the importance of phishing awareness.

As part of the guidance, it is stressed that collaboration with Internet Service Providers (ISPS), cybersecurity vendors, and particularly Protective DNS (PDNS) providers is essential to ensuring that these countermeasures will be implemented effectively. The coordination of efforts between infrastructure providers is essential to reduce the operational effectiveness of fast flux networks, as well as disrupt the cybercriminal ecosystem which is based on them.
Read more »
TLS
DigiCert DNS attacks Domain Validation Technology TLS

Domain Validation Bug: DigiCert Revokes TLS Certificates


In a major development in the tech landscape, SSL/TLS certificate provider "DigiCert" recently announced that it will be revoking around 83,267 certificates. This big step was taken due to a bug in their domain validation process, which dented the integrity of the affected certificates. The incident underscores the need for strong domain validation mechanisms and is a prompt reminder of the possible loopholes in cyberspace. 

“Recently, we learned that we did not include the underscore prefix with the random value used in some CNAME-based validation cases. This impacted approximately 0.4% of the applicable domain validations we have in effect. Under strict CABF rules certificates with an issue in their domain validation must be revoked within 24 hours, without exception,” said DigiCert in a statement.

The DigiCert incident

The main reason for the mass revocation exists within DigiCert's Domain Control Validation (DCV) process. The bug contained a missing underscore in the DNS CNAME entry, an important component to verify domain ownership. Due to the oversight, the certificates were issued without validation, undermining their credibility.

Domain validation is a basic step for issuing SSL/TLS certificates, it ensures the legitimacy of the entity requesting the certificate, to check if it's legit or not. In case of failure to validate domain ownership can be a security hazard. This includes man-in-the-middle attacks, where the threat actors intercept and manipulate communication between users and websites.

The impact

The impacted bug resulted in the potential exposure of various websites to security flaws. DigiCert acted promptly to contain the damage, issuing notice to the affected customers and giving a 24-hour wind to reissue certificates. But mass revocation also had repercussions for the affected organizations. Reissuing certificates on such massive scales required constant effort and coordination, especially for businesses with deep digital infrastructures.

Lessons for the future

1. Communications and transparency: DigiCert's swift response to impacted customers was crucial in addressing the bug. Being transparent with your customers becomes paramount, encouraging trust between both parties.

2. Rigorous testing and quality assurance: DigiCert's DCV process bug shows how a minor oversight can cause major disruptions.

3. Proactive, not just preventive measures: An important measure for tracking and addressing flaws before threat actors can exploit them. Frequent audits, auto-testing, and constant monitoring will help.

Read more »
masOS Apps
Command and Control(C2) DNS attacks Hackers Kaspersky macOS malware masOS Apps

Hackers Drain Wallets via Cracked macOS Apps using Scripts Accessed From DNS Records


Hackers have found another clever way to transfer information-stealing malware to macOS users, apparently through DNS records that could hide malicious scripts.

The attack is being targeted to macOS Ventura and later, depending on the vulnerable applications repackaged as PKG files that include a trojan. 

Attack details

The attack was discovered by researchers at Kaspersky, following which they analyzed the stages of the infection chain. 

While downloading an Application/folder, victims tend to follow installation instructions, unaware that they are actually executing the malware. Following this, they open the bogus Activator window that asks for the administrator password. 

The malware uses the 'AuthorizationExecuteWithPrivileges' method to execute a 'tool' executable (Mach-O) after acquiring permission. If Python 3 is not already installed on the system, it installs it and appears to be "app patching."

The malware then contacts its C2 server, at a site named ‘apple-health[.]org,’ in order to obtain a base64- encoded Python script that is designed to run arbitrary commands on the targeted device. 

Researchers discovered that the attacker employed a clever technique to reach the C2 server at the right URL: a third-level domain name consisting of a random string of five letters and words from two hardcoded lists.

This way, the hacker was able to conceal its activity in traffic and download the Python script payload disguised as TXT records from the DNS server, which seem like common requests. 

Three TXT entries, each a base64-encoded portion of an AES-encrypted message containing the Python script, were included in the DNS server's response.

This first Python script served as a downloader for a second Python script that captures and sends information about the compromised system, including the CPU type, installed apps, directory listings, operating system version, and external IP address.

Kaspersky notes that during their analysis, the C2 provided upgraded copies of the backdoor script, indicating continuing development, but didn't see command execution, thus this might not have been deployed yet.

Additionally, two functions in the downloaded script search the compromised system for Bitcoin Core and Exodus wallets; if they are detected, they replace the original wallets with backdoored versions obtained from 'apple-analyzer[.]com.'

The code in the compromised wallets transmits to the attacker's C2 server the seed phrase, password, name, and balance.

Users usually do not get suspicious when their wallet app suddenly asks them to re-enter their wallet details, making them vulnerable to getting their wallets emptied. 

As indicators of compromise, the cracked software used in this campaign is made public in the Kaspersky study. According to the researchers, these applications "are one of the easiest ways for malicious actors to get to users’ computers."

While using cracked programs to trick users into downloading malware is a popular attack vector, the campaign that Kaspersky examined demonstrates that threat actors are sufficiently crafty to devise novel ways of delivering the payload, such as concealing it in a DNS server's domain TXT record.  

Read more »
URL Shortener
CERT Critical Flaw cyber security agency DHS DNS attacks Domain Malicious actor Phising Attacks unauthorised access URL URL Shortener

PUMA Network: Unmasking a Cybercrime Empire

A massive cybercrime URL shortening service known as "Prolific Puma" has been uncovered by security researchers at Infoblox. The service has been used to deliver phishing attacks, scams, and malware for at least four years, and has registered thousands of domains in the U.S. top-level domain (usTLD) to facilitate its activities.

Prolific Puma works by shortening malicious URLs into shorter, more memorable links that are easier to click on. These shortened links are then distributed via email, social media, and other channels to unsuspecting victims. When a victim clicks on a shortened link, they are redirected to the malicious website.

Security researchers were able to track Prolific Puma's activity by analyzing DNS data. DNS is a system that translates domain names into IP addresses, which are the numerical addresses of websites and other devices on the internet. By analyzing DNS data, researchers were able to identify the thousands of domains that Prolific Puma was using to deliver its malicious links.

Prolific Puma's use of the usTLD is particularly noteworthy. The usTLD is one of the most trusted TLDs in the world, and many people do not suspect that a link with a usTLD domain could be malicious. This makes Prolific Puma's shortened links particularly effective at deceiving victims.

The discovery of Prolific Puma is a reminder of the importance of being vigilant when clicking on links, even if they come from seemingly trusted sources. It is also a reminder that cybercriminals are constantly developing new and sophisticated ways to attack their victims.

Here are some tips for staying safe from Prolific Puma and other malicious URL shortening services:

  • Be wary of clicking on links in emails, social media posts, and other messages from unknown senders.
  • If you are unsure whether a link is safe, hover over it with your mouse to see the full URL. If the URL looks suspicious, do not click on it.
  • Use a security solution that can detect and block malicious links.
  • Keep your web browser and operating system up to date with the latest security patches.

The security researchers who discovered Prolific Puma have contacted the United States Computer Emergency Readiness Team (US-CERT) and the Department of Homeland Security (DHS) about the service. Both agencies are working to take down Prolific Puma's infrastructure and prevent it from being used to launch further attacks.

Prolific Puma is not the first malicious URL-shortening service to be discovered. In recent years, there have been a number of other high-profile cases of cybercriminals using URL shortening services to deliver malware and phishing attacks.

The discovery of Prolific Puma is a reminder that URL shortening services can be abused for malicious purposes. Users should be cautious when clicking on shortened links, and should take steps to protect themselves from malware and phishing attacks.

Read more »
malware
C2 Exploit Decoy Dog DNS attacks Infoblox malware

Uncovering the Decoy Dog C2 Exploit: Infoblox's Finds Dangerous Threat

Decoy Dog

Finding recent reports on Domain Name System (DNS) attacks may prove difficult as a report by IDC in 2021 highlighted that 87% of organizations encountered a DNS attack in 2020. 

Despite this, DNS is not typically considered a prominent target in attacks, likely due to complex security terminologies such as DNS over TLS or HTTP. According to a report by CloudFlare, DNS queries in plaintext can be encrypted with TLS and HTTP to ensure secure and private browsing. 

In spite of this, Akamai's DNS threat report for Q3 highlighted a rise of 40% in DNS attacks during the corresponding quarter of the previous year. Furthermore, during Q3 of the previous year, 14% of all safeguarded devices communicated with a malicious designation at least once.

A new malware toolkit called Decoy Dog

The Infoblox Threat Intelligence Group, which examines billions of DNS records and millions of domain-related records daily, has identified a new malware toolkit called Decoy Dog that employs the Pupy remote access trojan. 

RenĂ©e Burton, Senior Director of Threat Intelligence at Infoblox, revealed that Pupy is an open-source tool that is complex to utilize and inadequately documented. Infoblox's findings indicate that the Decoy Dog toolkit is being employed in less than 3% of all networks, and the threat actor who controls it is linked to only 18 domains. 

Through a sequence of anomaly detectors, the team discovered Decoy Dog's activities and learned that it had been running a data exfiltration command and control system since early April 2022 for over a year, which no one else had detected.

Russian links

Infoblox's researchers discovered that the Decoy Dog C2 was primarily originating from hosts located in Russia, according to an analysis of external global DNS data. 

The concern with this malware is that no one knows precisely what it controls, even though its signature is known. 

Burton explained that command and control allow an attacker to take over systems and issue orders, such as extracting all of an individual's emails or shutting down a firewall. She also stated that Pupy, which is linked to Decoy Dog, has previously been associated with nation-state activities, despite not being easy for the average cybercriminal to access due to its complexity and lack of instructions on establishing the DNS nameserver required for C2 communications.

The RAT effect

Similar to legitimate remote access tools that allow technicians to showcase new systems or make repairs, RATs are straightforward to install and do not affect the computer's processing speed. These malicious tools can be delivered via email, video games, software, advertisements, and web pages. Pupy is a RAT that has particular C2 functionalities.

As per Burton,
  • RATs allow access to a system and some use C2 infrastructure for remote control.
  • Pupy is a challenging-to-detect, cross-platform, open-source C2 tool primarily coded in Python.
  • Decoy Dog is a rare type of Pupy deployment that can be identified through its DNS signature. According to Infoblox, only 18 domains match this signature out of 370 million.

Some common uses of RAT malware involve an attacker acquiring remote access to a laptop, then leasing it out to other threat actors who install more malware through its network access. This can result in a laptop becoming part of a botnet.

Toolkits that are small and unusual can pose hidden dangers

Hidden RATs, or malware of unknown origin that remains undetected, can pose significant risks. For example, in 2018, Israeli cyber-arms firm NSO Group developed a C2 spyware called Pegasus that could infiltrate and control various mobile devices, giving remote hackers access to a phone's cameras, location, microphone, and other sensors for surveillance purposes.

Amnesty International became involved when the Saudi government allegedly used Pegasus to spy on the family of Jamal Khashoggi, who had been murdered by government operatives.

Amnesty International's Security Lab recently uncovered another commercial spyware that went unnoticed for two years and utilized zero-day attacks against Google's Android operating systems. However, Infoblox had already blocked 89% of those domains before Amnesty's report, providing protection to its customers and verifying Amnesty's findings, according to Burton.



Read more »
Subscribe to: Posts (Atom)