Infoblox Threat IntelOct 1

We recently unraveled a mystery involving ~30k infected websites, DNS TXT records, and Strela Stealer #malware distribution. A threat actor who has been around since at least Feb 2020 has evolved to distribute malware through misdirection and a complex relay system, leaving defenders unsure where the actual malware is hosted.
And to top it off, we found that part of the campaigns were sent via REM proxy, another threat actor we track via DNS that leverages compromised MikroTik routers. These campaigns were spam messages targeting #german speakers with malicious .svg files.
The attachments had links pointing to the first stage of the malware -- or did it? It turns out the threat actor, which we track as Detour Dog, is playing mind games. That link actually triggers server-side DNS queries and the fun begins.
Here is the paper: https://blogs.infoblox.com/threat-intelligence/detour-dog-dns-malware-powers-strela-stealer-campaigns/
More nuggets in the replies.

#malware #infostealer #dns #threatintel #cybersecurity #cybercrime #scam #helptds #tds #infosec #infoblox #strelastealer #phishing #spam #remproxy

Detour Dog: DNS Malware Powers Strela Stealer Campaigns

30k sites infected with DNS malware by Detour Dog. Now linked to Strela Stealer, StarFish backdoor, REM Proxy, and Tofsee in global spam campaigns.

Infoblox Blog
The Threat CodexSep 18
SystemBC – Bringing the Noise
#SystemBC #REMProxy
https://blog.lumen.com/systembc-bringing-the-noise/
SystemBC: Bringing the noise

Understand how the SystemBC botnet utilizes VPS networks to create powerful proxies for criminal threat groups and malicious activities.

Lumen Blog