- The Détourdog Malware campaign compromised more than 30,000 websites using DNS redirect
- The victims were silently redirected to sites housing Strela Stealer, a modular infosteator
- The attack has remained not detected for months due to manipulation in the DNS and infrastructure mistreatment
Security researchers have spotted a huge campaign of malware that has managed to calmly compromise more than 30,000 websites, as well as countless visitors.
OnfoBlox researchers detailed a campaign they nicknamed Detedog, which targeted unprotected servers with malware of the same name, forcing servers to redirect visitors.
Since DNS requests are made on the website itself, rather than visitors, they are invisible to the victims. It has also helped the campaign to remain not detected as long as it has done – several months.
Strela Stealer
Infoblox analysis also revealed that the attackers used a combination of compromise registrars, DNS suppliers and poorly configured domains to spread the detourdog.
The victims are redirected legitimate websites (but compromised), to those who welcome an infosteator called Strela Stealer. From there, malware has been delivered using standard training techniques, such as incentive to downloads or the exploitation of browser vulnerabilities, according to the victim’s environment.
Strela Stealer itself was spotted for the first time at the end of 2022. At the time, it was built just to exfiltrate the email identification information from Microsoft Outlook and Thunderbird.
However, it has evolved over the years and is now described as a modular infosteator which can extract identification information from several sources, as well as browsers. Once deployed, he communicates with command and control servers to exfiltrate stolen data and receive updates, making it a persistent threat.
Its attribution has not yet been established, but the word “stroke” means “arrow” in Russian and in most other Slavic languages (with a certain variation).
Infoblox has informed all the owners of affected domains, as well as the relevant authorities, it was also said in the report.
The victims apparently work for cleaning their infrastructure, but the complete scope of damage remains uncertain. Security experts recommend that organizations audit their DNS configurations, monitor unusual traffic models and deploy DNS security solutions to detect and block similar threats.
Follow Techradar on Google News And Add us as a favorite source To get our news, criticisms and expert opinions in your flows. Be sure to click on the follow!
And of course, you can also Follow Techradar on Tiktok For news, criticism, unpacking in video form and obtain regular updates to us on Whatsapp Also.
