Malware Domains and DNS Attack Infrastructure

How Cybercriminals Use DNS Infrastructure #

Many modern malware campaigns rely heavily on the Domain Name System (DNS) to distribute malicious payloads, redirect victims, and maintain communication with command-and-control servers.

Attackers use techniques such as traffic distribution systems (TDS), domain generation algorithms (DGA), compromised websites and rapidly changing domain infrastructure to evade detection.

The following examples illustrate real malware campaigns and how DNS firewall technologies such as RPZ can block these attacks by preventing the resolution of malicious domains.

Planisys DNS Firewall with RPZ (Response Policy Zones)

By using Planisys RPZ as resolver for users' workstations, end users are gaining an additional layer of protection. Thus Planisys Firewall is a very importante piece in the architecture of Endpoint Protection, as it simply doesn't resolve domains that are known to be involved in Malware campaigns, among other use cases.

Those domains are IoC's (Indicators of Compromise) that flag the network are you're being dragged into.

With Planisys DNS Firewall, we intend to block this traffic flow at the DNS level, thus thwarting the attack at the very beginning , by being up-to-date with recent research and malware discoveries.

Traffic Distribution Systems

Cybercriminals use TDS or Traffic Distribution Systems to redirect users to infected sites, based on visitors' IP addresses and browsers. Certain malwares are associated with even commercial TDSs as used in the e-marketing or advertising world.

The TDSs are huge networks built with enormous quantities of hacked Wordpress sites and other compromised websites, thousands of registered domains built with DGA or Domain Generated Algorithms and affiliate networks that help in redirecting the traffic to the published malware that are difficult to identify as they use the UTM or Urchin Tracking Module and domains that ressemble well-known domains.
VexTrio TDS

VexTrio is one of the most important TDS by 2023/2024 with 60+ affiliates, although it's been operating since 2017 and changing its MaaS (Malware as a Service) over time, disovered by an Infoblox research. It redirects customers, sometimes using iframes with hidden Javascript code (often base64 encoded to make it less readable), - according to IP address and web-browser fingerprinting - to different portals, for example to ClearFake and SocGholish Phishing Malware.

The ClearFake Malware

The ClearFake malware, that invites the end user to update Chrome or Edge browser, can be easily mitigated with Planisys RPZ (Response Policy Zones), as part of the Planisys DNS Firewall.

If the users resolve domain names through a regular resolver, they are most likely going be trapped and infected, at least with a downloader.

The domains involved are being resolved by public resolvers like e.g. Cloudflare's 1.1.1.1 , but not by Planisys RPZ if you use it as your resolver.

When the users' browsers try to resolve the involved domain names, Planisys RPZ will return NXDOMAIN thus avoiding the trap.

Here are more domains involved in this attack, as detected by VirusTotal:

The SocGholish Malware

The VexTrio cluster and redirection monster leads also to the download of the SocGholish zip , hidden in compromised websites, which is a downloader that facilitates Ransomware such as WastedLocker, LockBit, Drydex, Hive, etc.
Wordpress Brute Force Trick and CORS (March 2024)

A new password cracking botnet has been spreading, which uses a site for distribution of actions, and relies on infected Wordpress websites that host Javascript injection to perform a bruteforce attack.

Regrettably, the the website that exports the php scripts that perform part of the brute force attacks, is listed in Cisco Umbrella as safe.
Nevertheless, this attack can be by-passed by using Planisys DNS RPZ Firewall as resolver.

Please bear in mind that attackers can quickly change the domains where they host their malware, so both Wordpress admin and xmlrpc.php should only be granted access to trusted IPs, which you can perform putting Planisys CDN in front of your Wordpress website.