Critical Security Threat Uncovered by Infoblox Threat Intelligence Group
Infoblox found a new set of beacons using DNS (domain name servers) that are communicating with Russian C2 – this was very low profile since April 2022. Infoblox caught some of the suspicious domains previously but just recently confirmed that it’s a real threat and ongoing compromise of systems. Infoblox’s Head of Threat Intelligence, Renée Burton, states in her Mastodon post that they were pretty confident C2 is using modified Pupy RAT – which could allow the attacker to control compromised devices. “We are certain it is not consumer devices that are compromised. It’s evolved and new domains are being set up,” said Renée Burton, Head of Infoblox Threat Intelligence Group. Pupy RAT has been used by state actors (APT) in the past.
Early intel suggests a single threat actor leveraging common DNS behavior. Infoblox has not verified the attack vector but is working through intelligence data to find out more. Organizations with protective DNS are able to block these domains immediately, mitigating their risk while they continue to investigate further.
C2 Domains to Block:
Infoblox is urging organizations to block these domains now!
- claudfront[.]net
- allowlisted[.]net
- atlas-upd[.]com
- ads-tm-glb[.]click
- cbox4[.]ignorelist[.]com
- hsdps[.]cc
The Impact:
The Infoblox Threat Intelligence Group believes that this set of beacons exists on limited networks and they are not generated from laptops or mobile devices. The presence of an undetected Remote Access Trojan (RAT) in a network gives the attacker control of the device.
