how botnets use dynamic webhosting to connect to their IP addresses

"FireEye studied a sample 100 active CnC domains for njRAT (includes LV categorisation), XtremeRAT, njw0rm, h-worm, and DarkComet that threat actors used against our customers. Though advanced threat actors are also using these tools, we surmise that various individual hackers and hacking teams are largely conducting these activities for notoriety hacking, hacktivism, cybercrime, or hobby hacking, and not targeted data theft from an APT campaign. Domain resolutions for the 100 dynamic CnC fully qualified domain names (FQDNs) revealed more than 20,000 historical IP resolutions, suggesting that these actors use dynamic domains for connectivity via their local Internet service provider to their personal computers

Nearly all the C2s domains used a dynamic domain name system, such as no-ip, dyndns, adultdns, zapto, sytes, servequake, myvnc, with a number of the FQDNs individually resolving to hundreds of IP addresses. The sample set of FQDNs resolved to more than 20,000 IP addresses in our historical data and possibly indicated the origins of the activity given the apparent direct use of local Internet service providers. For example, in one case involving
more than 600 FQDN-IP resolutions, more than 500 of the IPs appeared to be Jordan-based IPs.  FireEye also found cases in which additional FQDNs simultaneously resolved to the same IPs as some of the identified C2 FQDNs."

Fireeye regional threat report

so if you block in your proxy access to these domains you normally don't need at all, than you limit the possibility of connecting an infected workpost with a botnet control and commandcenter


The comments are closed.