Malware Exfiltrating Credentials Via DNS
Researchers from Alert Logic have discovered and reported on a malware campaign using DNS queries to exfiltrate credentials. The credentials are obtained from a backdoored SSH client on a victim system.
When the client makes a connection to a remote server, the username, password, IP Address of the remote server, the local system’s MAC address and domains, are exfiltrated in three encoded strings in a DNS query to the attacker controlled name servers.
Alert Logic has provided code for decoding the first of the three strings sent in the DNS query.
Data exfiltration is any unauthorized movement of data. It can also be known as data exfil, data exportation, data extrusion, data leakage and data theft.
Further details here.
Indicators of Compromise
Hashes
cca561fe23233bfc6553435c11a6c19f5864c0028f7dd6466940c3818cdc5131
68d4b6af4f961f323b57b7e43e2004a11a59b4910271d9b3e9731fc992f51c55
C&C Servers
- weberdut.co
- icdn-cloud.com
IP Addresses
- 164.132.181.85
- 194.99.23.199
I am one of the editors here at www.systemtek.co.uk I am a UK based technology professional, with an interest in computer security and telecoms.