Infoblox’s DNS Early Detection Program swiftly identifies potentially harmful domains, notably recognizing the KandyKorn malware campaign from the Lazarus Group. The program highlights the critical need for rapid response against such threats, providing timely alerts and blocking capabilities well in advance of public OSINT disclosures. Affected: cybersecurity, finance, healthcare, supply chain management, government sectors
Keypoints :
- Infoblox’s program detects malicious domains early through proprietary techniques.
- Threat actors are executing attacks faster than traditional threat intel can detect.
- The Lazarus Group has a long history of cybercrime, targeting various sectors.
- KandyKorn is a sophisticated remote access trojan (RAT) targeting blockchain software engineers.
- Infoblox blocked the critical C2 domain tp-globa[.]xyz just two days after its registration.
- Identification of malicious domains ahead of public OSINT releases enhances organizational security.
- The program helps reduce the risk of financial loss and data breaches caused by malware.
- Infoblox’s suspicious domain data assists in effectively addressing new cybersecurity threats.
MITRE Techniques :
- Social Engineering (T1566): The Lazarus Group used social engineering tactics in Discord to trick users into downloading the malicious Watcher.py script.
- Command and Control (T1071): The KandyKorn malware communicates with its command and control server via the malicious domain tp-globa[.]xyz.
- Execution (T1203): The deployment of various Python scripts signifies the execution of the KandyKorn payload.
- Persistence (T1547): The malware employs persistence mechanisms to remain undetected, as showcased by SUGARLOADER.
- Credential Dumping (T1003): The KandyKorn malware is designed to exfiltrate sensitive data, indicating attacks on user credentials.
Indicator of Compromise :
- [Domain] tp-globa[.]xyz
- [Domain] pro-tokyo[.]top
- [WHOIS Date] August 13, 2023
- [WHOIS Date] July 18, 2023
- [Filename] Cross-Platform Bridges.zip
Full Story: https://blogs.infoblox.com/threat-intelligence/dns-for-early-detection-lazarus-kandykorn/