Malware Exfiltrating Credentials Via DNS

Researchers from Alert Logic have discovered and reported on a malware campaign using DNS queries to exfiltrate credentials. The credentials are obtained from a backdoored SSH client on a victim system.

When the client makes a connection to a remote server, the username, password, IP Address of the remote server, the local system’s MAC address and domains, are exfiltrated in three encoded strings in a DNS query to the attacker controlled name servers.

Alert Logic has provided code for decoding the first of the three strings sent in the DNS query.

Data exfiltration is any unauthorized movement of data. It can also be known as data exfil, data exportation, data extrusion, data leakage and data theft.

Further details here.

Indicators of Compromise

Hashes

cca561fe23233bfc6553435c11a6c19f5864c0028f7dd6466940c3818cdc5131

68d4b6af4f961f323b57b7e43e2004a11a59b4910271d9b3e9731fc992f51c55

C&C Servers

  • weberdut.co
  • icdn-cloud.com

IP Addresses

  • 164.132.181.85
  • 194.99.23.199

Jason Davies

UK based technology professional, with an interest in computer security and telecoms.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.

%d bloggers like this: