{"description":"Trending threats, MITRE ATT\u0026CK coverage, and detection metadata. Fed continuously.","feed_url":"https://feed.craftedsignal.io/products/mediafire/feed.json","home_page_url":"https://feed.craftedsignal.io/","items":[{"_cs_actors":[],"_cs_cpes":[],"_cs_cves":[],"_cs_exploited":false,"_cs_has_poc":false,"_cs_poc_references":[],"_cs_products":["Microsoft Windows","Microsoft PowerShell","MediaFire","ngrok","Pastebin"],"_cs_severities":["high"],"_cs_tags":["abused-web-services","command-and-control","windows"],"_cs_type":"advisory","_cs_vendors":["Microsoft","MediaFire","ngrok","Pastebin"],"content_html":"\u003cp\u003eThis threat brief highlights the use of legitimate web services for malicious purposes. Attackers often leverage these services to host malware, exfiltrate data, or establish command and control (C2) channels. This activity focuses on detecting suspicious processes making DNS queries to domains associated with services like pastebin.com, mediafire.com, and ngrok.io. These services are abused due to their widespread use and the trust often placed in them, making it easier for attackers to blend in with normal network traffic. The increased use of such services in malicious campaigns necessitates proactive detection and monitoring. The scope of targeting includes any Windows endpoint within an organization's network. This activity is commonly seen across various malware families.\u003c/p\u003e\n\u003ch2 id=\"attack-chain\"\u003eAttack Chain\u003c/h2\u003e\n\u003col\u003e\n\u003cli\u003eA user clicks a malicious link or opens a compromised document (not directly observed in source).\u003c/li\u003e\n\u003cli\u003eThe compromised document executes a malicious script, such as PowerShell, via \u003ccode\u003ecmd.exe\u003c/code\u003e.\u003c/li\u003e\n\u003cli\u003eThe script initiates a DNS query to a known, abused web service, like \u003ccode\u003epastebin.com\u003c/code\u003e, using Windows DNS client.\u003c/li\u003e\n\u003cli\u003eThe attacker retrieves a payload or configuration from the web service via HTTP or HTTPS.\u003c/li\u003e\n\u003cli\u003eThe script downloads and executes the payload in memory or on disk.\u003c/li\u003e\n\u003cli\u003eThe payload establishes persistence and begins beaconing to a command-and-control server, potentially using \u003ccode\u003engrok.io\u003c/code\u003e for tunneling.\u003c/li\u003e\n\u003cli\u003eThe attacker uses the C2 channel to send commands and exfiltrate sensitive data or deploy additional malware.\u003c/li\u003e\n\u003cli\u003eThe attacker achieves their final objective, such as data theft, ransomware deployment, or system compromise.\u003c/li\u003e\n\u003c/ol\u003e\n\u003ch2 id=\"impact\"\u003eImpact\u003c/h2\u003e\n\u003cp\u003eSuccessful exploitation can lead to various detrimental outcomes. Malware infections can disrupt business operations, resulting in financial losses and reputational damage. Data exfiltration can compromise sensitive information, leading to legal and regulatory penalties. Ransomware deployment can encrypt critical files, holding the organization hostage. The wide range of services abused makes detection challenging but crucial. The impact can range from a single compromised host to a full-scale network breach.\u003c/p\u003e\n\u003ch2 id=\"recommendation\"\u003eRecommendation\u003c/h2\u003e\n\u003cul\u003e\n\u003cli\u003eEnable Sysmon Event ID 22 (DNS Query) logging to capture DNS query events (reference: description, search query).\u003c/li\u003e\n\u003cli\u003eDeploy the Sigma rules provided in this brief to your SIEM and tune them based on your environment's baseline (reference: rules).\u003c/li\u003e\n\u003cli\u003eReview and update firewall rules to restrict access to known abused web services if they are not required for business operations (reference: iocs).\u003c/li\u003e\n\u003cli\u003eInvestigate any alerts generated by these rules to identify and remediate potentially compromised hosts (reference: rules).\u003c/li\u003e\n\u003c/ul\u003e\n","date_modified":"2024-11-01T12:00:00Z","date_published":"2024-11-01T12:00:00Z","id":"https://feed.craftedsignal.io/briefs/2024-11-abused-web-services/","summary":"Suspicious processes on Windows hosts are making DNS queries to known, abused web services such as text-paste sites, file sharing platforms, and tunneling services, potentially indicating malware downloading or command and control activity.","title":"Windows Hosts Querying Abused Web Services","url":"https://feed.craftedsignal.io/briefs/2024-11-abused-web-services/"}],"language":"en","title":"CraftedSignal Threat Feed - MediaFire","version":"https://jsonfeed.org/version/1.1"}