Thursday, October 10, 2024
HomeBotnetSandiFlux - Hackers using Fast Flux Method in Wild For Malware Distribution

SandiFlux – Hackers using Fast Flux Method in Wild For Malware Distribution

Published on

Hackers started using Fast Flux infrastructure in wild to hide the malicious activities such as malware and phishing campaigns. A new Fast flux infrastructure has been identified named as SandiFlux.

Fast Flux is a technique to have multiple IP addresses assigned to the same domain and they change consistently in quick sessions through DNS records.

Security researchers from Proofpoint identified a new Fast Flux infrastructure dubbed as SandiFlux used to distribute malware and it is acting as a proxy for Grand crab ransomware.

- Advertisement - EHA

Starting from December researchers observed new fast flux domain nodes and they decided to monitor separately along with some events from the dark cloud. Also, threat actors moved from DarkCloud to Sandiflux.

DarkCloud/Fluxxy botnet is centralized in Ukraine and Russia (77.4% and 14.5%), whereas SandiFlux nodes are concentrated in Romania and Bulgaria (46.4% and 21.3% of the botnet, respectively) also from other countries including Europe, Africa, the Middle East, and southern Asia.
Sandiflux
Sandiflux Heatmap

Starting from March 27, 2018, researchers spotted GandCrab ransomware C&C servers uses proxified SandiFlux infrastructure.

Sandiflux
Grandcrab proxified C&C communication

Although we have not observed a single overlap between DarkCloud and SandiFlux in the last four months, we cannot confirm that the two infrastructures are unrelated,” researchers said.

DarkCloud botnet was first uncovered in 2016 and it continues to expand, the botnet contains a huge number of name servers and it continues to change IP every minute to avoid detection.

Researchers concluded that “DarkCloud/Fluxxy is the best documented, a new Fast Flux botnet has emerged with nodes of compromised hosts distributed much more widely. It is likely that both are operated by the same actor who rents capabilities to other actors“.

Gurubaran
Gurubaran
Gurubaran is a co-founder of Cyber Security News and GBHackers On Security. He has 10+ years of experience as a Security Consultant, Editor, and Analyst in cybersecurity, technology, and communications.

Latest articles

Mozilla Warns Of Firefox Zero-Day Actively Exploited In Cyber Attacks

A critical use-after-free vulnerability affecting Firefox and Firefox Extended Support Release (ESR) is being...

SpyCloud Embeds Identity Analytics in Cybercrime Investigations Solution to Accelerate Insider and Supply Chain Risk Analysis & Threat Actor Attribution

IDLink, SpyCloud’s new automated digital identity correlation capability, is now core to its industry-leading...

Abusix and Red Sift Form New Partnership, Leveraging Automation to Mitigate Cyber Attacks

The agreement has marked over 600,000 fraudulent domains for takedown in just two months...

Hackers Exploiting Zero-day Flaw in Qualcomm Chips to Attack Android Users

Hackers exploit a zero-day vulnerability found in Qualcomm chipsets, potentially affecting millions worldwide.The flaw,...

Free Webinar

Protect Websites & APIs from Malware Attack

Malware targeting customer-facing websites and API applications poses significant risks, including compliance violations, defacements, and even blacklisting.

Join us for an insightful webinar featuring Vivek Gopalan, VP of Products at Indusface, as he shares effective strategies for safeguarding websites and APIs against malware.

Discussion points

Scan DOM, internal links, and JavaScript libraries for hidden malware.
Detect website defacements in real time.
Protect your brand by monitoring for potential blacklisting.
Prevent malware from infiltrating your server and cloud infrastructure.

More like this

GorillaBot Emerged As King For DDoS Attacks With 300,000+ Commands

The newly emerged Gorilla Botnet has exhibited unprecedented activity, launching over 300,000 DDoS attacks...

Flax Typhoon’s Botnet Actively Exploiting 66 Vulnerabilities In Various Devices

The Five Eyes agencies recently released a joint cybersecurity advisory detailing a new botnet,...

Researchers Detailed Raptor Train Botnet That 60,000+ Compromised Devices

Researchers discovered a large, Chinese state-sponsored IoT botnet, "Raptor Train," that compromised over 200,000...