Examining the trove of data exposed in Autonomous System Numbers (ASNs) can identify and mitigate complex malware campaigns in novel ways. Using these technique, HYAS has just published Tracking An Active Remcos Malware Campaign.
Remcos is a commercially available application used for remotely controlling Windows computers. When used covertly, it operates as a fully functional remote access trojan, able to monitor keystrokes, exfiltrate data, passwords, or screenshots, and monitor cameras.
The campaign HYAS is tracking began on May 14, 2024, and is operated out of Maiduguri, Nigeria. Recent malware detonations have indicated Remcos C2 communication with two domains, taker202.ddns[.]net (port 3017) and taker202.duckdns[.]org (port 5033). Both domains resolve to Lithuania, and are hosted on the ISP “Silent Connection Ltd”.
The report details the threat actor’s use of dynamic DNS services (DDNS and DuckDNS) for Command and Control (C2) communications which — combined with hosting on a Lithuanian ISP — obfuscates the true origin of the attack and also leverages international resources to evade localized law enforcement. The use of DDNS allows for rapid changes in IP addresses, complicating traditional IP-based blocking and tracking methods.
HYAS’ report provides real-time tracking and attribution, the impacts and risks of Remcos, and detection and removal recommendations.
About HYAS’ Novel Research Process: ASNs are unique identifiers of networks participating in the global routing system, and can offer insight into the infrastructure threat actors are using. HYAS collects IOCs such as IP addresses, domain names, file hashes, and other artifacts associated with a suspected malware campaign and uses specialized tools, databases, and techniques to map the collected IP addresses to their corresponding ASNs. This enumeration helps ID the ownership and affiliations of networks involved in the campaign. HYAS then:
- identifies the origins of malicious traffic,
- pinpoints hosting providers associated with malware distribution,
- surfaces and traces connections between threats and entities that otherwise seem unaffiliated, and
- attributes malware campaigns to specific threat actors or groups, defend against active campaigns and thwart future ones.
Like this:
Like Loading...
Related
This entry was posted on June 3, 2024 at 1:11 pm and is filed under Commentary with tags HYAS. You can follow any responses to this entry through the RSS 2.0 feed.
You can leave a response, or trackback from your own site.
HYAS Experts Warn Of Active Remcos RAT Campaign
Examining the trove of data exposed in Autonomous System Numbers (ASNs) can identify and mitigate complex malware campaigns in novel ways. Using these technique, HYAS has just published Tracking An Active Remcos Malware Campaign.
Remcos is a commercially available application used for remotely controlling Windows computers. When used covertly, it operates as a fully functional remote access trojan, able to monitor keystrokes, exfiltrate data, passwords, or screenshots, and monitor cameras.
The campaign HYAS is tracking began on May 14, 2024, and is operated out of Maiduguri, Nigeria. Recent malware detonations have indicated Remcos C2 communication with two domains, taker202.ddns[.]net (port 3017) and taker202.duckdns[.]org (port 5033). Both domains resolve to Lithuania, and are hosted on the ISP “Silent Connection Ltd”.
The report details the threat actor’s use of dynamic DNS services (DDNS and DuckDNS) for Command and Control (C2) communications which — combined with hosting on a Lithuanian ISP — obfuscates the true origin of the attack and also leverages international resources to evade localized law enforcement. The use of DDNS allows for rapid changes in IP addresses, complicating traditional IP-based blocking and tracking methods.
HYAS’ report provides real-time tracking and attribution, the impacts and risks of Remcos, and detection and removal recommendations.
About HYAS’ Novel Research Process: ASNs are unique identifiers of networks participating in the global routing system, and can offer insight into the infrastructure threat actors are using. HYAS collects IOCs such as IP addresses, domain names, file hashes, and other artifacts associated with a suspected malware campaign and uses specialized tools, databases, and techniques to map the collected IP addresses to their corresponding ASNs. This enumeration helps ID the ownership and affiliations of networks involved in the campaign. HYAS then:
Share this:
Like this:
Related
This entry was posted on June 3, 2024 at 1:11 pm and is filed under Commentary with tags HYAS. You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.