Sandiflux: Another botnet using Fast Flux technology has emerged
Category : Blog
SandiFlux is a new Fast flux infrastructure has been identified. Hackers started using Fast Flux infrastructure in wild to hide the malicious activities such as malware and phishing campaigns.
Fast Flux is a technique to have multiple IP addresses assigned to the same domain and they change consistently in quick sessions through DNS records.
Security researchers from Proofpoint identified a new Fast Flux infrastructure dubbed as SandiFlux used to distribute malware and it is acting as a proxy for Grand crab ransomware.
Starting from December researchers observed new fast flux domain nodes and they decided to monitor separately along with some events from the dark cloud. Also, threat actors moved from DarkCloud to Sandiflux.
Proofpoint said that their findings come from long-term observations of the DarkCloud botnet. DarkCloud has been using Fastflux technology since 2014. Most infected computers that makeup Dark Cloud are concentrated in Ukraine and Russia (77.4% and 14.5%, respectively).
Unlike DarkCloud, SandiFlux nodes are concentrated in Romania and Bulgaria (46.4% and 21.3%, respectively), but also a small number of other areas, such as Europe, Africa, the Middle East and southern Asia.
Similar services as SandiFlux:
Similar services are offered by operators Dark Cloud, also Fluxxy, a multi-purpose botnet, whose activities in Proofpoint have been monitored since 2014. This infrastructure allows you to quickly and automatically change IP addresses, domains and even DNS servers to extend the life of fraudulent sites, malicious sites and C & C servers .
Dark Cloud is widely used by carders , exploit-pack operators , authors of malvertising-campaigns, spammers, phishers, herdsmen and malware operators – for example, downhiller Furtim, also SFG .
Now, according to Proofpoint, some of these intruders began to migrate to SandiFlux. So, in February a new opportunity was tested by the distributor zloader – the author of malicious campaigns, which the researchers conventionally call TA547. In November, this attacker, according to observations, used the infrastructure of Dark Cloud.
Fast Flux DNS has proved to be a powerful tool for threat actors looking to hide dark web sites, malicious infrastructure, and other web-based operations from researchers and law enforcement. While DarkCloud/Fluxxy is the best documented, a new Fast Flux botnet has emerged with nodes of compromised hosts distributed much more widely. It is likely that both DarkCloud and SandiFlux are operated by the same actor who rents capabilities to other actors. GandCrab ransomware in particular now has its command and control proxied behind SandiFlux, although a number of other actors we track are making use of the infrastructure to mass their operations. While direct effects on compromised hosts include performance and bandwidth degradation, the more significant global impact is increased capacity for providing Fast Flux DNS to threat actors.
Most Popular Training Courses at Indian Cyber Security Solutions:
Cybersecurity services that can protect your company: