Research

Is it the end of the DNSChanger Trojan?

Not really, especially in Latin America. Every day we register lots of similar attacks, each abusing local DNS
settings. Actually these attacks are a bit different because they modify the local HOST file but the principle is the same – redirecting the victim to a malicious host via malicious DNS records.

Latin American cybercriminals are used to recycling old techniques used elsewhere in the past and what is happening right now is a growth of attacks abusing local DNS settings. The latest social engineering-based malware attack in Mexico – which imitated the Mexican tax office – is a recent example of this.

By clicking on the link the victim downloads and installs a Trojan which is related to Ngrbot and modifies the local HOST file. It steals money from two Mexican banks by redirecting the infected
victims to fake banking websites.

There is interesting information contained inside the code – the source of the Trojan before the compilation.

(C:UsersAlxDesktoppharming_root3dProject1.vbp)

After browsing some underground Spanish-language forums, I found that the author of this malware has been operating since at least 2004 and apparently lives in Peru.

Most of the victims are, of course, from Mexico. The main means of spreading the malware is email and the most widely-targeted email provider is Yahoo mail.

There are at least 11,540 downloads of this malware and the overall it has been detected by 9 out of 31 antivirus engines. That basically means there are some 8,000 infections out there.

The fact that a fairly experienced cybercriminal (operating from 2004) still uses malicious techniques to abuse local DNS settings and can still net a large number of victims (8,000) once again confirms that the DNSChanger trend won’t change in the near feature. We will keep seeing new pieces of malware using and refining the
same technique. This story is set to continue…

Is it the end of the DNSChanger Trojan?

Your email address will not be published. Required fields are marked *

 

Reports

Lazarus targets defense industry with ThreatNeedle

In mid-2020, we realized that Lazarus was launching attacks on the defense industry using the ThreatNeedle cluster, an advanced malware cluster of Manuscrypt (a.k.a. NukeSped). While investigating this activity, we were able to observe the complete life cycle of an attack, uncovering more technical details and links to the group’s other campaigns.

Sunburst backdoor – code overlaps with Kazuar

While looking at the Sunburst backdoor, we discovered several features that overlap with a previously identified backdoor known as Kazuar. Our observations shows that Kazuar was used together with Turla tools during multiple breaches in past years.

Lazarus covets COVID-19-related intelligence

As the COVID-19 crisis grinds on, some threat actors are trying to speed up vaccine development by any means available. We have found evidence that the Lazarus group is going after intelligence that could help these efforts by attacking entities related to COVID-19 research.

Sunburst: connecting the dots in the DNS requests

We matched private and public DNS data for the SUNBURST-malware root C2 domain with the CNAME records, to identify who was targeted for further exploitation. In total, we analyzed 1722 DNS records, leading to 1026 unique target name parts and 964 unique UIDs.

Subscribe to our weekly e-mails

The hottest research right in your inbox