Date: 10/07/2024
Severity: Medium
Summary
The article "No Way to Hide: Uncovering New Campaigns from Daily Tunneling Detection" reveals four previously undisclosed DNS tunneling campaigns identified through a new monitoring system. This system detects potentially malicious tunneling domains by analyzing patterns and attributes associated with past campaigns. DNS tunneling allows threat actors to bypass firewalls and covertly exfiltrate data. The research emphasizes the system's ability to uncover connections between new and existing campaigns, enhancing overall network security. This allows the information to bypass traditional network firewalls and establish covert communication channels for data exfiltration and infiltration.
Indicators of Compromise (IOC) List
URL/Domains | soupandselfcare.com juicyplaymatesfinder.com pretorya.site codeaddon.net linkwide.site mouvobo.site avtomaty-bcg.online dreyzek.com dtodcart.site foxxbank.com healthproreview.com lifemedicalplus.net lustypartnersfinder.com mponiem.site ns2000wip.com piquantchicksfinder.com sosua.cz unlimitedpartnersfinder.com yummyflingsfinder.com yummyloversfinder.com zzczloh.site |
IP Address | 88.119.169.205
185.161.248.253 185.176.220.80 185.176.220.212 |
Hash |
dfb3e5f557a17c8cdebdb5b371cf38c5a7ab491b2aeaad6b4e76459a05b44f28
0b99db286f3708fedf7e2bb8f24df1af13811fe46b017b6c3e7e002852479430
c22d25107e48962b162c935a712240c0a4486b38891855f0e53d5eb972406782
c3a29c2457f33e54298a1c72a967aa161a96b0ae62ffbefe9e5e1c2057d7f3f4 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Detection Query 1 | userdomainname like "soupandselfcare.com" or url like "soupandselfcare.com" or userdomainname like "juicyplaymatesfinder.com" or url like "juicyplaymatesfinder.com" or userdomainname like "pretorya.site" or url like "pretorya.site" or userdomainname like "codeaddon.net" or url like "codeaddon.net" or userdomainname like "linkwide.site" or url like "linkwide.site" or userdomainname like "mouvobo.site" or url like "mouvobo.site" or userdomainname like "avtomaty-bcg.online" or url like "avtomaty-bcg.online" or userdomainname like "dreyzek.com" or url like "dreyzek.com" or userdomainname like "dtodcart.site" or url like "dtodcart.site" or userdomainname like "foxxbank.com" or url like "foxxbank.com" or userdomainname like "healthproreview.com" or url like "healthproreview.com" or userdomainname like "lifemedicalplus.net" or url like "lifemedicalplus.net" or userdomainname like "lustypartnersfinder.com" or url like "lustypartnersfinder.com" or userdomainname like "mponiem.site" or url like "mponiem.site" or userdomainname like "ns2000wip.com" or url like "ns2000wip.com" or userdomainname like "piquantchicksfinder.com" or url like "piquantchicksfinder.com" or userdomainname like "sosua.cz" or url like "sosua.cz" or userdomainname like "unlimitedpartnersfinder.com" or url like "unlimitedpartnersfinder.com" or userdomainname like "yummyflingsfinder.com" or url like "yummyflingsfinder.com" or userdomainname like "yummyloversfinder.com" or url like "yummyloversfinder.com" or userdomainname like "zzczloh.site" or url like "zzczloh.site" |
Detection Query 2 | dstipaddress IN ("88.119.169.205","185.161.248.253","185.176.220.80","185.176.220.212") or ipaddress IN ("88.119.169.205","185.161.248.253","185.176.220.80","185.176.220.212") or publicipaddress IN ("88.119.169.205","185.161.248.253","185.176.220.80","185.176.220.212") or srcipaddress IN ("88.119.169.205","185.161.248.253","185.176.220.80","185.176.220.212") |
Detection Query 3 |
sha256hash IN ("dfb3e5f557a17c8cdebdb5b371cf38c5a7ab491b2aeaad6b4e76459a05b44f28","0b99db286f3708fedf7e2bb8f24df1af13811fe46b017b6c3e7e002852479430","c22d25107e48962b162c935a712240c0a4486b38891855f0e53d5eb972406782","c3a29c2457f33e54298a1c72a967aa161a96b0ae62ffbefe9e5e1c2057d7f3f4") |
Reference:
https://unit42.paloaltonetworks.com/detecting-dns-tunneling-campaigns/