Infoblox Threat Intel<p><span class="h-card" translate="no"><a href="https://infosec.exchange/@shadowserver" class="u-url mention" rel="nofollow noopener" target="_blank">@<span>shadowserver</span></a></span> helped us disrupt a prolific website malware multiple times in early August. This malware uses DNS TXT records for a C2 to redirect users to scams and malware. Exclusively redirecting to VexTrio for years, they've been disrupted a few times by us and partners this past year ... which each time allows us to understand the criminal enterprise a bit further. <br> <br>Prior to the disruption, we analyzed over 4M DNS responses from the authoritative servers from several partners covering a short window of traffic. </p><p>The diagram below shows how the server is likely to redirect website visitors based on their geo and device type, which are encoded in the query. Connections to Strela Stealer in June. We are in the process of writing up research around how this all connects to the MikroTik router botnet we published early this year. <br> <br>In mid-June, the C2 server domain had a global popularity level on Tranco of about 80k - pretty high for a niche domain. <br> <br>What happened after Shadow Server sinkholed the C2 domain?? We saw nearly 30k sites reach out to the sinkhole in a 48 hour period. Lots of bot activity -- these queries only come from compromised websites and there were nearly 37M unique queries in that time! <br> <br>of course the threat actors adjust.. that is part of the game. but we learnt a lot in the process. </p><p>Diagram also shows how several of the TDS are related to each other in these flows.</p><p><a href="https://infosec.exchange/tags/dns" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>dns</span></a> <a href="https://infosec.exchange/tags/threatintel" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>threatintel</span></a> <a href="https://infosec.exchange/tags/scam" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>scam</span></a> <a href="https://infosec.exchange/tags/malware" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>malware</span></a> <a href="https://infosec.exchange/tags/tds" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>tds</span></a> <a href="https://infosec.exchange/tags/infoblox" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infoblox</span></a> <a href="https://infosec.exchange/tags/vextrio" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>vextrio</span></a> <a href="https://infosec.exchange/tags/cybercrime" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybercrime</span></a> <a href="https://infosec.exchange/tags/cybersecurity" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>cybersecurity</span></a> <a href="https://infosec.exchange/tags/infosec" class="mention hashtag" rel="nofollow noopener" target="_blank">#<span>infosec</span></a></p>