Was making some tweaks to the presentation I'll be giving next week @DianaInitiative when I checked in on the old activity.
Guess what? It's still active, and now I'm giving it a name: SLOR.
Previous thread for reference:https://twitter.com/hexadecim8/status/998716575980097543 …
-
Show this thread
-
As a brief recap; I found some weird stuff, brought it to twitter, and with the help of
@DanielGallagher and others, followed the trail into an investigation that ended up being what looks like a fast-flux malware delivery campaign.1 reply 0 retweets 6 likesShow this thread -
I could have stopped when I realized hat I was looking at, but I'm stubborn and have a bad habit of chasing wild geese. Instead of wasting my time though, I was able to see how SLOR evolved over the months since I first posted about it. Now I'm sharing those details with you!
1 reply 0 retweets 2 likesShow this thread -
I'm calling it SLOR as short for "Shelf Life Of Ritalin" which was one of the odd strings found in a weaponized weaponized word document. If you search that string on google, or even Bing and hit it w/ "filetype:doc" you'll be surprised at how many odd sites you'll find.
1 reply 0 retweets 2 likesShow this thread -
Also I'm calling it SLOR because it's the name of an interdimensional monster from Ghostbusters - my favorite movie of ever.pic.twitter.com/QT1pSAN764
1 reply 0 retweets 5 likesShow this thread -
When we last visited SLOR, the operators were using Domain Generation Algorithms (DGA) to create their delivery domains. Pretty lame, but easy to track.pic.twitter.com/WzvRPfRfTc
1 reply 0 retweets 2 likesShow this thread -
The operators would also rotate the TLDs daily, sometimes registering up to 15 in a day, before moving onto another TLD the next day, all using DGA for the second level & subdomains.
1 reply 0 retweets 1 likeShow this thread -
The operators have since changed their TTPs to use second level domains that look much more legit, but still use DGA for the delivery subdomain.pic.twitter.com/6dlWKR535L
2 replies 1 retweet 1 likeShow this thread
Loading seems to be taking a while.
Twitter may be over capacity or experiencing a momentary hiccup. Try again or visit Twitter Status for more information.