- DetourDog malware campaign compromised over 30,000 websites using DNS redirection
- Victims were silently redirected to sites hosting Strela Stealer, a modular infostealer
- Attack remained undetected for months due to DNS-level manipulation and infrastructure abuse
Security researchers have spotted an enormous malware[1] campaign which managed to quietly compromise more than 30,000 websites, as well as countless visitors.
Researchers from Infoblox detailed a campaign they dubbed DetourDog, which targeted unprotected servers with a piece of malware of the same name, forcing the servers to redirect the visitors.
Since the DNS requests are made from the website itself, rather than the visitors, they are invisible to the victims. This also helped the campaign remain undetected for as long as it did – several months.
Strela Stealer
Infoblox’s analysis also revealed that the attackers used a combination of compromised registrars, DNS providers, and misconfigured domains to propagate DetourDog.
The victims are redirected from legitimate (but compromised) websites, to those hosting an infostealer called Strela Stealer. From there, the malware was delivered using standard drive-by techniques, such as prompting downloads or exploiting browser[2] vulnerabilities, depending on the victim’s environment.
Strela Stealer itself was first spotted in late 2022. At the time, it was built just to exfiltrate email credentials from Microsoft[3] Outlook and Thunderbird.
However, it evolved throughout the years, and is now described as a modular infostealer that can extract credentials from multiple sources, as well as browsers. Once deployed, it communicates with command-and-control servers to exfiltrate stolen data and receive updates, making it a persistent threat.
Its attribution has not been established yet, but the word ‘strela’ means ‘arrow’ in Russian, and most other Slavic languages (with some variation).
Infoblox notified all affected domain owners, as well as relevant authorities, it was further said in the report.
Victims are apparently working on cleaning up their infrastructure, but the full scope of the damage remains unclear. Security experts recommend that organizations audit their DNS configurations, monitor for unusual traffic patterns, and deploy DNS security solutions to detect and block similar threats.
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button![4][5]
And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.[6][7]
You might also like
References
- ^ malware (www.techradar.com)
- ^ browser (www.techradar.com)
- ^ Microsoft (www.techradar.com)
- ^ Follow TechRadar on Google News (news.google.com)
- ^ add us as a preferred source (www.google.com)
- ^ follow TechRadar on TikTok (www.tiktok.com)
- ^ WhatsApp (whatsapp.com)