DNSExfitrator

Description

(Kasperksy) At the end of May, we observed that Oilrig had included the DNSExfitrator tool in its toolset. It allows the threat actor to use the DNS over HTTPS (DoH) protocol. Use of the DNS protocol for malware communications is a technique that Oilrig has been using for a long time. The difference between DNS- and DoH-based requests is that, instead of plain text requests to port 53, they would use port 443 in encrypted packets. Oilrig added the publicly available DNSExfiltrator tool to its arsenal, which allows DoH queries to Google and Cloudflare services. This time, the operators decided to use subdomains of a COVID-related domain which are hardcoded in the DNSExfitrator detected samples.

Names

Name
DNSExfitrator

Type

Exfiltration
Tunneling

Information

https://securelist.com/apt-trends-report-q2-2020/97937/

Other Information

Uuid

135f3617-9251-4daf-999e-3fa79a029b5d

Last Card Change

2020-07-30

Threat Intelligence Garden

Explorer

DNSExfitrator

DNSExfitrator

Description

Names

Category

Type

Information

Other Information

Uuid

Last Card Change

Graph View

Table of Contents

Backlinks