Openhunting Threat Library

DNSRat

DNSRat, DNSbot
(Type: Backdoor)

(Flashpoint) The second new malware sample discovered is a multiprotocol backdoor called DNSbot, which is used to exchange commands and push data to and from compromised machines. Primarily, it operates over DNS traffic, but can also switch to encrypted channels such as HTTPS or SSL, Flashpoint analysts discovered.

[News Analysis] Trends:

Total Trend: 2

Trend Per Year
1
2019
1
2020


Trend Per Month
1
Mar 2019
1
Feb 2020



[News Analysis] News Mention Another Threat Name:

48 - Chrysaor48 - Exodus48 - Dacls48 - VPNFilter48 - DNSRat48 - Griffon48 - KopiLuwak48 - More_eggs48 - SQLRat48 - AppleJeus48 - BONDUPDATER48 - Agent.BTZ48 - Anchor48 - AndroMut48 - BOOSTWRITE48 - Brambul48 - Carbanak48 - Cobalt Strike48 - DistTrack48 - DNSpionage48 - Dtrack48 - ELECTRICFISH48 - FlawedAmmyy48 - FlawedGrace48 - Get248 - Grateful POS48 - HOPLIGHT48 - Imminent Monitor RAT48 - jason48 - Joanap48 - KerrDown48 - KEYMARBLE48 - Lambert48 - LightNeuron48 - LoJax48 - MiniDuke48 - PolyglotDuke48 - PowerRatankba48 - Rising Sun48 - SDBbot48 - ServHelper48 - Snatch48 - Stuxnet48 - TinyMet48 - tRat48 - TrickBot48 - Volgmer48 - X-Agent48 - Zebrocy


[TTP Analysis] Technique Performance:

reconnaissance
0/43
resource development
0/45
initial access
0/19
execution
1/36
persistence
1/113
privilege escalation
1/96
defense evasion
0/184
credential access
0/63
discovery
0/44
lateral movement
0/22
collection
0/37
command and control
0/39
exfiltration
0/18
impact
0/26


[TTP Analysis] Mitre Attack Matrix:

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1053.002
Scheduled Task/job : At
T1053.002
Scheduled Task/job : At
T1053.002
Scheduled Task/job : At


[Infrastructure Analysis] Based on Related IOC:

IP:Port Timestamp
Domain Timestamp
URL Timestamp


[Target Analysis] Region/Sector:

No information


References:

News Basic Information Indicator of Compromise Mitre Attack

News Article (Credit @Malpedia)

APT Report 2019

2020-02-13 by Qi Anxin Threat Intelligence Center from Qianxin

FIN7 Revisited: Inside Astra Panel and SQLRat Malware

2019-03-20 by Joshua Platt from Flashpoint

Basic Information (Credit @etda.or.th)

Tool: DNSRat

Names: DNSRat, DNSbot

Description: (Flashpoint) The second new malware sample discovered is a multiprotocol backdoor called DNSbot, which is used to exchange commands and push data to and from compromised machines. Primarily, it operates over DNS traffic, but can also switch to encrypted channels such as HTTPS or SSL, Flashpoint analysts discovered.

Category: Malware

Type: Backdoor

Information: https://www.flashpoint-intel.com/blog/fin7-revisited:-inside-astra-panel-and-sqlrat-malware/

Malpedia: https://malpedia.caad.fkie.fraunhofer.de/details/js.dnsrat

Last-card-change: 2020-04-23

Source: https://apt.etda.or.th/cgi-bin/listtools.cgi

TTP Info (Credit @Mitre)

TA0043 TA0042 TA0001 TA0002 TA0003 TA0004 TA0005 TA0006 TA0007 TA0008 TA0009 TA0011 TA0010 TA0040
Reconnaissance Resource Development Initial Access Execution Persistence Privilege Escalation Defense Evasion Credential Access Discovery Lateral Movement Collection Command and Control Exfiltration Impact
T1053.002
SCHEDULED TASK/JOB : AT
at can be used to schedule a task on a system to be executed at a specific date or time.
T1053.002
SCHEDULED TASK/JOB : AT
at can be used to schedule a task on a system to be executed at a specific date or time.
T1053.002
SCHEDULED TASK/JOB : AT
at can be used to schedule a task on a system to be executed at a specific date or time.