CAPYBARA DNS TUNNELING CAMPAIGN

    Monday, September 30, 2024 In: Threat Research Print

    Date: 09/30/2024

    Severity: High

    Summary

    We have identified a DNS tunneling campaign named Capybara that employs several techniques for encoding or obscuring data within the DNS tunnel. These techniques include tailored Base32 encoding. DNS tunneling can begin as soon as the second day following the registration of a Capybara domain. This campaign initiated in June 2024, and telemetry data showed a peak of 22,685,570 fully qualified domain name (FQDN) detections in a single day in August 2024. The specific purpose of this campaign remains undetermined. 

    Indicators of Compromise (IOC) List

    Domains\URLs

    016656477884440675138143481364679730.com

    330808364653252368286123.com

    3ef3db1fdf4d546beb2632c9.com

    499817362469650332850899.com

    685384085526912082544592884350276026.com

    70f1a8e6a47c9539c3ac51593824e17f5cc0.com

    7aacd04a13abfd3bf4a5b1cd.com

    84e28d1c80fd.com

    9ff2c02507bd154f646332f756c65838829e.com

    a922e84ad8d9.com

    admin-bqfcb.com

    admin-fflpz.com

    baseballstarhotclarinetchefsaxophone.com

    brown-bqfcb.com

    brown-fflpz.com

    chkhj-capybara.biz

    chkhj-capybara.co

    chkhj-capybara.com

    chkhj-capybara.info

    chkhj-capybara.me

    chkhj-capybara.mobi

    chkhj-capybara.org

    chkhj-capybara.ws

    dpcnr-capybara.biz

    dpcnr-capybara.co

    dpcnr-capybara.com

    dpcnr-capybara.info

    dpcnr-capybara.me

    dpcnr-capybara.mobi

    dpcnr-capybara.org

    dpcnr-capybara.ws

    dryovaltenniscloudyfoggy.com

    electriciansurfingguitar.com

    files-bqfcb.com

    files-fflpz.com

    green-bqfcb.com

    green-fflpz.com

    hcvvszvnlvrpdvjxuinischbqkitvytmdgwr.com

    jpqndoipuibezzfywudcwlrs.com

    login-bqfcb.com

    login-fflpz.com

    mysql-bqfcb.com

    mysql-fflpz.com

    olomwedftisnhxostmmpzxxzbzjaajfaubne.com

    porcupineplumbercellomuskratbaseball.com

    store-bqfcb.com

    store-fflpz.com

    taco-bout-dns.com

    tuyuvqgacoubtnamgzeyufob.com

    users-bqfcb.com

    users-fflpz.com

    www-amazon-nmmlj.com

    www-amazon-pflvc.com

    www-fedex-nmmlj.com

    www-fedex-pflvc.com

    www-homedepot-nmmlj.com

    www-homedepot-pflvc.com

    www-microsoft-ddfcs.com

    www-microsoft-nmmlj.com

    www-microsoft-pflvc.com

    www-microsoft-rbscq.com

    www-network-nmmlj.com

    www-network-pflvc.com

    www-online-nmmlj.com

    www-online-pflvc.com

    www-paypal-nmmlj.com

    www-paypal-pflvc.com

    www-xfinity-nmmlj.com

    www-xfinity-pflvc.com

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs 1 : 

    userdomainname like "330808364653252368286123.com" or url like "330808364653252368286123.com" or userdomainname like "hcvvszvnlvrpdvjxuinischbqkitvytmdgwr.com" or url like "hcvvszvnlvrpdvjxuinischbqkitvytmdgwr.com" or userdomainname like "3ef3db1fdf4d546beb2632c9.com" or url like "3ef3db1fdf4d546beb2632c9.com" or userdomainname like "016656477884440675138143481364679730.com" or url like "016656477884440675138143481364679730.com" or userdomainname like "a922e84ad8d9.com" or url like "a922e84ad8d9.com" or userdomainname like "www-fedex-nmmlj.com" or url like "www-fedex-nmmlj.com" or userdomainname like "chkhj-capybara.biz" or url like "chkhj-capybara.biz" or userdomainname like "dryovaltenniscloudyfoggy.com" or url like "dryovaltenniscloudyfoggy.com" or userdomainname like "chkhj-capybara.info" or url like "chkhj-capybara.info" or userdomainname like "taco-bout-dns.com" or url like "taco-bout-dns.com" or userdomainname like "jpqndoipuibezzfywudcwlrs.com" or url like "jpqndoipuibezzfywudcwlrs.com" or userdomainname like "www-amazon-pflvc.com" or url like "www-amazon-pflvc.com" or userdomainname like "tuyuvqgacoubtnamgzeyufob.com" or url like "tuyuvqgacoubtnamgzeyufob.com" or userdomainname like "mysql-fflpz.com" or url like "mysql-fflpz.com" or userdomainname like "685384085526912082544592884350276026.com" or url like "685384085526912082544592884350276026.com" or userdomainname like "www-microsoft-nmmlj.com" or url like "www-microsoft-nmmlj.com" or userdomainname like "www-microsoft-pflvc.com" or url like "www-microsoft-pflvc.com" or userdomainname like "olomwedftisnhxostmmpzxxzbzjaajfaubne.com" or url like "olomwedftisnhxostmmpzxxzbzjaajfaubne.com" or userdomainname like "84e28d1c80fd.com" or url like "84e28d1c80fd.com" or userdomainname like "www-microsoft-ddfcs.com" or url like "www-microsoft-ddfcs.com" or userdomainname like "www-amazon-nmmlj.com" or url like "www-amazon-nmmlj.com" or userdomainname like "www-fedex-pflvc.com" or url like "www-fedex-pflvc.com" or userdomainname like "9ff2c02507bd154f646332f756c65838829e.com" or url like "9ff2c02507bd154f646332f756c65838829e.com" or userdomainname like "499817362469650332850899.com" or url like "499817362469650332850899.com" or userdomainname like "dpcnr-capybara.com" or url like "dpcnr-capybara.com" or userdomainname like "store-fflpz.com" or url like "store-fflpz.com" or userdomainname like "green-fflpz.com" or url like "green-fflpz.com" or userdomainname like "electriciansurfingguitar.com" or url like "electriciansurfingguitar.com" or userdomainname like "www-xfinity-pflvc.com" or url like "www-xfinity-pflvc.com" or userdomainname like "login-fflpz.com" or url like "login-fflpz.com" or userdomainname like "www-paypal-nmmlj.com" or url like "www-paypal-nmmlj.com"

    Domains\URLs 2 :

    userdomainname like "70f1a8e6a47c9539c3ac51593824e17f5cc0.com" or url like "70f1a8e6a47c9539c3ac51593824e17f5cc0.com" or userdomainname like "7aacd04a13abfd3bf4a5b1cd.com" or url like "7aacd04a13abfd3bf4a5b1cd.com" or userdomainname like "admin-bqfcb.com" or url like "admin-bqfcb.com" or userdomainname like "admin-fflpz.com" or url like "admin-fflpz.com" or userdomainname like "baseballstarhotclarinetchefsaxophone.com" or url like "baseballstarhotclarinetchefsaxophone.com" or userdomainname like "brown-bqfcb.com" or url like "brown-bqfcb.com" or userdomainname like "brown-fflpz.com" or url like "brown-fflpz.com" or userdomainname like "chkhj-capybara.co" or url like "chkhj-capybara.co" or userdomainname like "chkhj-capybara.com" or url like "chkhj-capybara.com" or userdomainname like "chkhj-capybara.me" or url like "chkhj-capybara.me" or userdomainname like "chkhj-capybara.mobi" or url like "chkhj-capybara.mobi" or userdomainname like "chkhj-capybara.org" or url like "chkhj-capybara.org" or userdomainname like "chkhj-capybara.ws" or url like "chkhj-capybara.ws" or userdomainname like "dpcnr-capybara.biz" or url like "dpcnr-capybara.biz" or userdomainname like "dpcnr-capybara.co" or url like "dpcnr-capybara.co" or userdomainname like "dpcnr-capybara.info" or url like "dpcnr-capybara.info" or userdomainname like "dpcnr-capybara.me" or url like "dpcnr-capybara.me" or userdomainname like "dpcnr-capybara.mobi" or url like "dpcnr-capybara.mobi" or userdomainname like "dpcnr-capybara.org" or url like "dpcnr-capybara.org" or userdomainname like "dpcnr-capybara.ws" or url like "dpcnr-capybara.ws" or userdomainname like "files-bqfcb.com" or url like "files-bqfcb.com" or userdomainname like "files-fflpz.com" or url like "files-fflpz.com" or userdomainname like "green-bqfcb.com" or url like "green-bqfcb.com" or userdomainname like "login-bqfcb.com" or url like "login-bqfcb.com" or userdomainname like "mysql-bqfcb.com" or url like "mysql-bqfcb.com" or userdomainname like "porcupineplumbercellomuskratbaseball.com" or url like "porcupineplumbercellomuskratbaseball.com" or userdomainname like "store-bqfcb.com" or url like "store-bqfcb.com" or userdomainname like "users-bqfcb.com" or url like "users-bqfcb.com" or userdomainname like "users-fflpz.com" or url like "users-fflpz.com" or userdomainname like "www-homedepot-nmmlj.com" or url like "www-homedepot-nmmlj.com" or userdomainname like "www-homedepot-pflvc.com" or url like "www-homedepot-pflvc.com" or userdomainname like "www-microsoft-rbscq.com" or url like "www-microsoft-rbscq.com" or userdomainname like "www-network-nmmlj.com" or url like "www-network-nmmlj.com" or userdomainname like "www-network-pflvc.com" or url like "www-network-pflvc.com" or userdomainname like "www-online-nmmlj.com" or url like "www-online-nmmlj.com" or userdomainname like "www-online-pflvc.com" or url like "www-online-pflvc.com" or userdomainname like "www-paypal-pflvc.com" or url like "www-paypal-pflvc.com" or userdomainname like "www-xfinity-nmmlj.com" or url like "www-xfinity-nmmlj.com" 

    Reference:

    https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2024-09-26-IOCs-for-Capybara-DNS-tunneling-campaign.txt


    Tags

    MalwareCAPYBARA

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2024 by Gurucul - All rights reserved.