Close Menu
Cyber Updates

Detour Dog Runs DNS Malware Factory for Strela Stealer

Staff WriterBy Updated:No Comments2 Mins Read6 Views

Quick Takeaways

  1. Detour Dog Unmasked: A threat actor, Detour Dog, has been identified as the source behind campaigns distributing the Strela Stealer information-stealing malware, utilizing compromised websites for attacks.

  2. Innovative Malware Distribution: The malware employs a novel DNS-based strategy, utilizing TXT records to execute remote commands and distribute payloads, marking an evolution in their methods since 2020.

  3. Financial Motivation & Infrastructure: Detour Dog has shifted from forwarding traffic for scams to distributing malware for financial gain, controlling approximately 69% of the identified staging hosts and leveraging botnets for spam email distribution.

  4. Threat Intelligence Efforts: Infoblox worked with the Shadowserver Foundation to sinkhole two of Detour Dog’s command-and-control domains, showcasing ongoing efforts to combat this emerging cybersecurity threat.

Detour Dog’s Intricate Malware Operation

Recently, cybersecurity experts identified a threat actor, known as Detour Dog, behind a sophisticated campaign distributing Strela Stealer, an information stealer. Findings from Infoblox reveal that Detour Dog controls domains hosting the malware’s initial stage, utilizing a backdoor called StarFish. Notably, this group has exploited vulnerable WordPress sites, injecting malicious JavaScript that employs DNS TXT records. This method acts as a traffic distribution system, redirecting visitors to malicious sites and malware.

Furthermore, the malware has evolved. Traditionally, these redirects only facilitated scams. Currently, they enable remote content execution through a DNS-based command-and-control system. Infoblox traces Detour Dog’s activities back to February 2020, indicating a prolonged presence in the cyber threat landscape. The challenge of detection arises, as the compromised websites operate normally most of the time, only raising alarms sporadically.

Evolving Tactics and Malicious Infrastructure

Detour Dog’s infrastructure primarily hosts the StarFish backdoor, which serves as a conduit for Strela Stealer. This backdoor reaches infected machines via malicious SVG files, allowing persistent access. The cybercriminal group operates as an initial access broker, acquiring and selling access to compromised systems.

Recent investigations highlight the sophisticated mechanics behind this operation. Detour Dog uses compromised WordPress sites to execute code remotely, thus enhancing its resilience against detection. Although the primary operations focus on delivering malware, they adapt to shifting security measures to maximize their profits. With the evolution of their tactics, Detour Dog not only poses a significant threat to individual users but also challenges cybersecurity professionals trying to combat such agile and deceptive methodologies.

Expand Your Tech Knowledge

Dive deeper into the world of Cryptocurrency and its impact on global finance.

Access comprehensive resources on technology by visiting Wikipedia.

DataProtection-V1

Share.
Avatar photo

John Marcelli is a staff writer for the CISO Brief, with a passion for exploring and writing about the ever-evolving world of technology. From emerging trends to in-depth reviews of the latest gadgets, John stays at the forefront of innovation, delivering engaging content that informs and inspires readers. When he's not writing, he enjoys experimenting with new tech tools and diving into the digital landscape.

Related Posts

Comments are closed.