092. Detecting FogDoor's C&C Communications

Hello everyone! Let's talk about Dead Drop Resolver (DDR) technique one more time. Cyble team presented a report on FogDoor. The malware retrieves attack commands from a social media profile, communicating with bark[.]lgbt/api.

It means we can hunt for communications with this domain, of course:

event_type: "dnsreq"

AND

dns_rname: "bark.lgbt"

It's not all! The adversary also used a temporary webhook storage, webhookbin[.]net, to collect executed command output. We can hunt for similar activity using the same logic:

event_type: "dnsreq"

AND

dns_rname: "webhookbin.net"

As always, you can find more detection opportunities in the report.

See you tomorrow!