092. Detecting FogDoor's C&C Communications

Hello everyone! Let's talk about Dead Drop Resolver (DDR) technique one more time. Cyble team presented a report on FogDoor. The malware retrieves attack commands from a social media profile, communicating with bark[.]lgbt/api.


It means we can hunt for communications with this domain, of course:

event_type: "dnsreq"

AND

dns_rname: "bark.lgbt"

It's not all! The adversary also used a temporary webhook storage, webhookbin[.]net, to collect executed command output. We can hunt for similar activity using the same logic:

event_type: "dnsreq"

AND

dns_rname: "webhookbin.net"

As always, you can find more detection opportunities in the report.

See you tomorrow!

Comments

Popular posts from this blog

391. Hunting for TeamPCP's Stealer

343. Ransomware Gangs Abuse SystemSettingsAdminFlows to Evade Defenses

013. It Can Remove Rootkits. And Your EDR!