PerezBox

Tony Perez On Security, Business, And Life

  • Security
  • Business
  • Life
  • About
  • Contact
standard post icon

Mitigating Web Threats with DNS Security | CleanBrowsing

Published in Security on December 24, 2019

On December 18th, DeepInstinct put out a great article outlining the latest Legion Loader campaign. Whether a parent, or organization, this served as a great example to demonstrate the effectiveness of DNS security in mitigating this type of attack.

Legion Loader Campaign

This campaign is suspected of being a dropper-for-hire campaign because of the number of different malware payloads it’s distributing (e.g., info-stealers, backdoors, crypto-miners, etc…).

Legion Loader Payloads (Source: DeepInstinct)

I encourage you to read DeepInstincts article if you want to better understand how it works. What I’ll focus in this article is how DNS can function as a highly effective security control to help you protect your network.

Anatomy of the Legion Loader Campaign

This campaign, like many my teams have worked on and analyzed over the years depend on a Command & Control (C&C) construct to function.

C&C’s, like the name implies, is the brain of the operation. It coordinates the traffic, and associated attacks, based on specific conditions. The conditions vary based on whatever the business logic might be.

The key in this configuration is how infected websites interact with a device and how that device communicates with the C&C.

A great way to illustrate what this mean is to look at how the crypto-stealer payload works. When a user visits an infected website, it initiates PowerShell and makes the following request:

Courtesy of DeepInstinct

PowerShell is something that comes with every Microsoft machine. Because this is happening locally, it’s making use of your network DNS.

CleanBrowsing Mitigating all Legion Loader C&C domains

This allows you to leverage something like CleanBrowsing to analyze and mitigate outbound requests to malicious C&C’s. For example, in this campaign, the following domains were identified to be the key to the C&C’s:

ntupdate4[.]top  
ntupdate3[.]top  
iplogger[.]org  
stationstall2[.]info  
egreetcards942[.]servehttp[.]com  
legion1488[.]info

In this example, when a machine on your network tries to access a malicious domain it’s returned a NXDOMAIN response.

nslookup legion1488.info 185.228.168.9
Server: 185.228.168.9

Server: 185.228.168.9

This makes it such that even if an attacker is able to trick a user into accessing an infected website, and the local controls fail to restrict the browser from taking local actions, you have an additional control that helps mitigate the potential threat.

Who doesn’t want more security controls. :)

Category: Security Topics: Web And Information Security

About Tony Perez

One of CleanBrowsing and NOC.org Founders. Formerly GoDaddy's General Manager (GM) for the Security Product Group. Responsible for the Sucuri brand, Certificate Authority (CA), Content Distribution Network (CDN), Website Application Firewall (WAF), Website Backups, Monitoring, and Incident Response products and services. The former CEO / Co-Founder of Sucuri and US Marine.

You can follow me on Twitter at @perezbox.

Tony Perez CEO Sucuri

About Tony Perez

I've spent the better part of the past 15 years dabbling in various technical industries, and these days my focus is website security and business. This blog, regardless of topic is a chronicle of my thoughts and life as I navigate those things that interest me the most.

  • Facebook
  • Twitter
  • LinkedIn
How To Block Porn

Search

Recent Posts On Security

Three Things that DNS Outages Teach Administrator

NOC Introduces a CDN. Yes, a CDN.

Feelings Have No Place in the World of Security

Unleashing the Power of Authoritative DNS

Content Filtering with CleanBrowsing

View All Security Posts

Security Posts By Topic

  • Desktop And Operating System Security
  • Drupal Security
  • End User Security
  • Intrusion Detection System (IDS)
  • Joomla Security
  • Log Management
  • OSSEC
  • Passwords And Identity Management
  • Security Tools And Technology
  • Speaking And Media
  • Vulnerabilities And Malware
  • Web Application Firewall
  • Web Hosting And Web Servers
  • Web And Information Security
  • WordPress Security
  • WordPress Plugins

Like what I have to say?

Subscribe to hear more...

I don't always have something to say, but when I do I will aim to make it insightful. Subscribe to hear my thoughts as I make them available.

PerezBox

  • Facebook
  • Twitter
  • LinkedIn

Copyright © 2022 Tony Perez, PerezBox. All Rights Reserved | Security | Privacy