{"id":9150,"date":"2023-11-06T06:00:27","date_gmt":"2023-11-06T13:00:27","guid":{"rendered":"https:\/\/blogs.infoblox.com\/?p=9150"},"modified":"2024-04-26T13:57:57","modified_gmt":"2024-04-26T20:57:57","slug":"malicious-dns-in-the-news","status":"publish","type":"post","link":"https:\/\/www.infoblox.com\/blog\/threat-intelligence\/malicious-dns-in-the-news\/","title":{"rendered":"Malicious DNS in the News"},"content":{"rendered":"

DNS for Early Threat Detection – Lumma C2<\/h3>\n

Only a few years ago, threat intelligence data on malicious domains provided a window of protection during which malware was still actively being spread. Protection could be afforded to many organizations by blocking the malicious domains that were published. Over time, threat actor techniques have evolved to the point where much of the potential damage and compromise is done long before any of the malicious domains are identified and propagated through open source intelligence (OSINT) (and most commercially available threat intel feeds). Threat actors are leveraging speed of execution to gain advantage and defenders need to respond accordingly.<\/p>\n

Our DNS Early Detection Program highlights and showcases the findings of Infoblox proprietary techniques that provide the earliest possible identification of potentially malicious domains. The program publishes our recent analysis of public OSINT disclosures of malicious domains compared against our early identification of these domains as suspicious.<\/p>\n

The NEED FOR SPEED<\/strong><\/em> is real. Infoblox identification of these suspicious domains makes them available for blocking weeks, even months, earlier than the domains published in many industry-wide malicious threat intel feeds.<\/p>\n\n\n\n
The data shows that Infoblox suspicious domain threat intel feeds identified 37 Lumma malicious domains, on average, 62.1 days sooner than availability in OSINT. Infoblox\u2019s suspicious domain data can help our customers avoid a potentially devastating data breach.<\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n

Lumma C2 Stealer (Lumma)<\/h3>\n

Lumma is an information stealer that has been attributed to the threat actor \u201cShamel\u201d operating under the alias of Lumma. Lumma is available for purchase on Russian speaking Dark web forums as malware-as-a-service (MaaS). MaaS access to Lumma provides even the most inexperienced threat actors with an inexpensive way to gain access to relatively sophisticated and dangerous tools.<\/p>\n

The nature of how Lumma is packaged and presented as almost any standard commercial product might be at times appears surreal. Lumma is sold in various \u201cplans\u201d that include log upload and log analysis. Then optionally, depending on the plan selected, the user may also license the use of special log and traffic analysis tools, and, in the high end \u201cCorporate\u201d version, a feature which includes the ability to bypass many types of proactive defensive protections. The pricing for these plans runs between $250 to $1,000 U.S.<\/p>\n

The Lumma payload is typically distributed via spear phishing campaigns with malicious attachments, and malvertising campaigns with embedded malicious links. Lumma steals system data and sensitive information from infected machines, including browser data,1<\/sup> stored credentials and cryptocurrency data,2<\/sup> as well as two-factor authentication browser extensions.3<\/sup><\/p>\n

Analysis and Methodology<\/h3>\n

In late September, 2023, data on 85 Lumma domains was published in OSINT. Analysis of these malicious domains was done by the Infoblox team to determine if they were identified earlier by our suspicious domain feeds.<\/p>\n

Each malicious domain identified in OSINT was researched in the Infoblox Dossier portal by our team. We reviewed our timeline feature to extract the earliest dates associated with Infoblox suspicious designation. We also extracted the WHOIS information for additional context.<\/p>\n

The conclusions of our analysis were definitive:<\/p>\n