Trusted Design

Covert Channels and Poor Decisions: The Tale of DNSMessenger

概要

(Cisco) What initially drew our interest to this particular malware sample was a tweet published by security researcher on Twitter (thanks simpo!) regarding a Powershell script that he was analyzing that contained the base64 encoded string 'SourceFireSux'. Interestingly enough, Sourcefire was the only security vendor directly referenced in the Powershell script. We searched for the base64 encoded value which was referenced in the tweet, and were able to identify a sample that had been uploaded to the public malware analysis sandbox, Hybrid Analysis. Additionally, when we searched for the decoded string value we found a single search engine result that pointed to a Pastebin page. The hash listed in the Pastebin led us to a malicious Word document that had also been uploaded to a public sandbox. The Word document initiated the same multiple-stage infection process as the file from the Hybrid Analysis report we previously discovered and allowed us to reconstruct a more complete infection process.

Created: 2026-02-23

Indicators

• domain - tijm.pw -
• domain - oyaw.club -
• domain - cuuo.us -
• domain - lnoy.site -
• domain - odwf.pw -
• domain - xhqd.pw -
• domain - idjb.us -
• domain - turp.pw -
• domain - vwcq.us -
• domain - odyr.us -
• FileHash-SHA256 - be5f4bfa35fc1b350d38d8ddc8e88d2dd357b84f254318b1f3b07160c3900750 -
• domain - qlpa.club -
• FileHash-SHA256 - 7f0a314f15a6f20ca6dced545fbc9ef8c1634f9ff8eb736deab73e46ae131458 -
• domain - otzd.pw -
• domain - fhyi.club -
• domain - futh.pw -
• domain - sgvt.pw -
• domain - bvyv.club -
• domain - cspg.pw -
• domain - hvzr.info -
• domain - zody.pw -
• domain - eter.pw -
• domain - swio.pw -
• domain - vpua.pw -
• domain - ooep.pw -
• domain - yqox.pw -
• domain - vdfe.site -
• domain - pvze.club -
• domain - lvxf.pw -
• domain - fbjz.pw -
• domain - oknz.club -
• domain - bpee.pw -
• domain - nwrr.pw -
• domain - eady.club -
• domain - gjuc.pw -
• domain - mjet.pw -
• FileHash-SHA256 - f82baa39ba44d9b356eb5d904917ad36446083f29dced8c5b34454955da89174 -
• domain - zmyo.club -
• domain - bwuk.club -
• domain - soru.pw -
• domain - cgqy.us -
• domain - wqiy.info -
• domain - mxfg.pw -
• domain - grij.us -
• domain - reld.info -
• domain - ysxy.pw -
• domain - pafk.us -
• domain - algew.me -
• domain - qznm.pw -
• domain - vjro.club -
• domain - enuv.club -
• domain - kshv.site -
• domain - dbxa.pw -
• domain - cihr.site -
• domain - doof.pw -
• domain - ueox.club -
• domain - jomp.site -
• domain - vkpo.us -
• domain - dvso.pw -
• domain - cnmah.pw -
• domain - daskd.me -
• domain - aloqd.pw -
• domain - dtxf.pw -
• domain - okiq.pw -
• domain - zjvz.pw -
• domain - pbbk.us -
• domain - nxpu.site -
• domain - ldzp.pw -
• domain - tsrs.pw -
• FileHash-SHA256 - 340795d1f2c2bdab1f2382188a7b5c838e0a79d3f059d2db9eb274b0205f6981 -
• domain - jxhv.site -
• domain - yedq.pw -
• FileHash-SHA256 - f9e54609f1f4136da71dbab8f57c2e68e84bcdc32a58cc12ad5f86334ac0eacf -
• domain - wfsv.us -
• domain - nroq.pw -
• domain - gnoa.pw -
• domain - kjke.pw -
• domain - zdqp.pw -
• FileHash-SHA256 - fd6e7fc11a325c498d73cf683ecbe90ddbf0e1ae1d540b811012bd6980eed882 -
• domain - ckwl.pw -
• domain - zjav.us -
• domain - lhlv.club -
• domain - vqba.info -
• FileHash-SHA256 - 9b955d9d7f62d405da9cf05425c9b6dd3738ce09160c8a75d396a6de229d9dd7 -
• domain - vxwy.pw -
• domain - ooyh.us -
• domain - palj.us -
• domain - mewt.us -
• domain - coec.club -
• domain - wvzu.pw -
• domain - zugh.us -
• domain - yamd.pw -
• domain - ihrs.pw -
• domain - gjcu.pw -
• domain - qefg.info -
• domain - ppdx.pw -
• domain - mvze.pw -
• domain - dlex.pw -
• domain - lvrm.pw -
• domain - vxqt.us -
• domain - utca.site -
• domain - dyiud.com -
• domain - rnkj.pw -
• FileHash-SHA256 - 6bf9d311ed16e059f9538b4c24c836cf421cf5c0c1f756fdfdeb9e1792ada8ba -
• domain - jimw.club -
• domain - gxhp.top -
• domain - kwoe.us -
• domain - mfka.pw -
• domain - oxrp.info -
• domain - mjut.pw -
• domain - ufyb.club -
• domain - rzzc.pw -
• domain - zcnt.pw -
• domain - oaax.site -

類似Pulses

• Aggressive Malware Pushers: Prolific Cyber Surfers Beware (score: 0.64)
• PowerSniff Malware Used in Macro-based Attacks (score: 0.64)
• NetTraveler APT Targets Russian, European Interests (score: 0.63)
• Discovering Recent PlugX Campaigns Programmatically (score: 0.61)
• Macro documents with XOR Encoded Payloads (score: 0.61)

このPulseに関連する脅威アクター (事実ベース)

このPulseに関連する脅威アクター (推論ベース)

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

---

← Pulse一覧に戻る