The SANS Internet Storm Center (ISC) on October 7th reported finding a malicious PowerShell script that implements backdoor remote access for intruders and is not well recognized by anti-virus solutions. Only two out of 60 anti-virus and endpoint security tools on VirusTotal detected it as a threat. The PowerShell script uses a popular tactic employed by threat actors to keep the domain names of their Command and Control (C2) servers from being easily discovered. Instead of hard-coding an IP address or domain name in the script, the malware author wrote a function that generates many domain names and tries establishing a connection to each one until it finds one that works. The operator of the malware does not have to register all the domains as long as they control at least one that the malware will try.
In this malware sample, the algorithm to generate the domain uses the current year, month, and week numbers from the system date, along with a list of five strings as part of the input to create the domain name to check. It also includes one hard-coded domain name, kama[.]mialeeka[.]com as a backup – this is somewhat unusual for a Domain Generation Algorithm (DGA), because it gives defenders a consistent domain name to alert on.
The list of domain names that will be used this week are the following:
It is important for security teams to not simply block the one hard-coded domain (kama[.]mialeeka[.]com) without also alerting and investigating whenever a process tries to resolve that domain. Simply blocking without alerting means the malware will go on with its list of DGA-generated domains, find one that works, and succeed in connecting to its C2 server. Analysts can use the DGA to determine the new domains each week and add them to threat intelligence lists or subscribe to a threat intelligence provider that handles that for them. The strongest approach is to detect processes that look up a high volume of random-looking domain names as a recurring threat hunt and investigate those that show a pattern that looks suspicious to the analyst. Binary Defense Threat Hunters have used this approach to find anomalous processes – while it is effective, it also takes some time to sort through the results that are simply online advertisers and cookie tracker domains, which also attempt to obfuscate their purpose by using DGAs. For threat hunters lacking the time for a deep investigation, Binary Defense recommends excluding web browsers from this hunt.