Threat Intelligence Report
Date: August 6, 2024
Prepared by: David Brunsdon, Threat Intelligence - Security Engineer, HYAS
Dynamic DNS (DDNS) is a service that automatically updates the Domain Name System (DNS) in real-time to reflect changes in the IP addresses of a domain. Unlike traditional static DNS, where the IP address associated with a domain remains constant, dynamic DNS allows for the association between a domain and an IP address to be updated frequently. This capability is particularly useful for devices or networks with frequently changing IP addresses, such as home networks, small businesses, or mobile devices.
Dynamic DNS services are widely used for legitimate purposes, including remote access to home networks, managing internet-connected devices, and enabling consistent access to websites or services hosted on networks with dynamic IP addresses. However, the same features that make dynamic DNS useful for legitimate users can also be exploited by threat actors for malicious purposes.
Using dynamic DNS for command and control (C2) infrastructure in cyberattacks offers several benefits for threat actors, including:
Dynamic DNS services have many benign users but they can also be used by threat actors in phishing attacks and within malware to communicate with command and control (C2) infrastructure.
Using HYAS Insight threat intelligence, the HYAS team was able to analyze some dynamic DNS registrations from Q1 and Q2 of 2024 that originated in Turkey (Turkiye). The registration data we analyzed contained the registered domain name, the A record IP, and the IP address used when opening an account with the provider. We then identified which domains were malicious by cross-referencing this data against our malware data to determine which have been used this year in command and control.
An interesting trend was found in the malware families identified: Most of the malware were identified to be remote access trojans (RATs), and DarkComet malware was represented in over 50% of the malicious domains we identified. DarkComet has been available for download for over a decade, and has been researched thoroughly over the years. It has the typical RAT capabilities including keylogging, microphone capture, webcam capture, and remote access control. It’s also been used in numerous high-profile incidents, such as the 2012 attack on Miss Teen USA.
In data analyzed in the 2020 paper Dark Matter: Uncovering the DarkComet RAT Ecosystem, Turkey is identified as the country with the highest number of DarkComet C2 deployments. From our perspective, the popularity of DarkComet in Turkey (Turkiye) seems to continue to today.
DarkComet malware deployment is typically conducted using several methods:
DarkComet is a serious threat because it can download additional files to extend the impact and level of compromise. When a system has been compromised the threat actor could download additional malware to:
Using HYAS Insight threat intelligence, we collected a list of domains registered by actors in Turkey (Turkiye) in 2024 that include details such as, A Records, emails, and Actor IPs involved with specific domains. Due to the sensitive nature of these IOCs, we have withheld them from this report. If you would like access to these IOCs, please contact HYAS directly for more information.
Want more threat intel on a weekly basis?
Follow HYAS on LinkedIn
Follow HYAS on X
Read recent HYAS threat reports:
Caught in the Act: StealC, the Cyber Thief in C
HYAS Protects Against Polyfill.io Supply Chain Attack with DNS Safeguards
StealC & Vidar Malware Campaign Identified
Sign up for the (free!) HYAS Insight Intel Feed
Disclaimer: This Threat Intelligence Report is provided “as is” and for informational purposes only. HYAS disclaims all warranties, express or implied, regarding the report’s completeness, accuracy, or reliability. You are solely responsible for exercising your own due diligence when accessing and using this Report's information. The analyses expressed in this Report reflect our current understanding of available information based on our independent research using the HYAS Insight platform. The Report’s inclusion of any companies, organizations, or ASNs does not imply any wrongdoing on their part; it is simply an indication of where digital threat activities have been observed. HYAS reserves the right to update the Report as additional information is made known to us.
An efficient and expedient investigation is the best way to protect your enterprise. HYAS Insight provides threat and fraud response teams with unparalleled visibility into everything you need to know about the attack.This includes the origin, current infrastructure being used and any infrastructure.
Read how the HYAS Threat Intelligence team uncovered and mitigated a Russian-based cyber attack targeting financial organizations worldwide.
Polymorphic Malware Is No Longer Theoretical: BlackMamba PoC.
Polymporphic, Intelligent and Fully Autonomous Malware: EyeSpy PoC.