SandiFlux – Hackers using Fast Flux Method in Wild For Malware Distribution

Hackers started using Fast Flux infrastructure in wild to hide the malicious activities such as malware and phishing campaigns. A new Fast flux infrastructure has been identified named as SandiFlux.

Fast Flux is a technique to have multiple IP addresses assigned to the same domain and they change consistently in quick sessions through DNS records.

Security researchers from Proofpoint identified a new Fast Flux infrastructure dubbed as SandiFlux used to distribute malware and it is acting as a proxy for Grand crab ransomware.

Starting from December researchers observed new fast flux domain nodes and they decided to monitor separately along with some events from the dark cloud. Also, threat actors moved from DarkCloud to Sandiflux.

DarkCloud/Fluxxy botnet is centralized in Ukraine and Russia (77.4% and 14.5%), whereas SandiFlux nodes are concentrated in Romania and Bulgaria (46.4% and 21.3% of the botnet, respectively) also from other countries including Europe, Africa, the Middle East, and southern Asia.

Starting from March 27, 2018, researchers spotted GandCrab ransomware C&C servers uses proxified SandiFlux infrastructure.

“Although we have not observed a single overlap between DarkCloud and SandiFlux in the last four months, we cannot confirm that the two infrastructures are unrelated,” researchers said.

DarkCloud botnet was first uncovered in 2016 and it continues to expand, the botnet contains a huge number of name servers and it continues to change IP every minute to avoid detection.

Researchers concluded that “DarkCloud/Fluxxy is the best documented, a new Fast Flux botnet has emerged with nodes of compromised hosts distributed much more widely. It is likely that both are operated by the same actor who rents capabilities to other actors“.