Potential Operation Triangulation C2 Beaconing Activity - DNS
Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB
Sigma rule (View on GitHub)
1title: Potential Operation Triangulation C2 Beaconing Activity - DNS
2id: 7fc30d63-728d-48d9-ad6f-14d14f4accf7
3related:
4 - id: aa03c712-75c6-438b-8d42-de88f2427e09 # Proxy C2
5 type: similar
6status: test
7description: Detects potential beaconing activity to domains used in 0day attacks on iOS devices and revealed by Kaspersky and the FSB
8references:
9 - https://securelist.com/operation-triangulation/109842/
10 - https://www-fsb-ru.translate.goog/fsb/press/message/single.htm!id=10439739@fsbMessage.html?_x_tr_sch=http&_x_tr_sl=ru&_x_tr_tl=en&_x_tr_hl=de&_x_tr_pto=wapp
11author: Florian Roth (Nextron Systems)
12date: 2023-06-01
13tags:
14 - attack.command-and-control
15 - attack.g0020
16 - detection.emerging-threats
17logsource:
18 category: dns
19detection:
20 selection:
21 query:
22 - 'addatamarket.net'
23 - 'ans7tv.net'
24 - 'anstv.net'
25 - 'backuprabbit.com'
26 - 'businessvideonews.com'
27 - 'cloudsponcer.com'
28 - 'datamarketplace.net'
29 - 'growthtransport.com'
30 - 'mobilegamerstats.com'
31 - 'snoweeanalytics.com'
32 - 'tagclick-cdn.com'
33 - 'topographyupdates.com'
34 - 'unlimitedteacup.com'
35 - 'virtuallaughing.com'
36 - 'web-trackers.com'
37 condition: selection
38falsepositives:
39 - Unknown
40level: high
References
-
While monitoring the traffic of our own corporate Wi-Fi network, we noticed suspicious activity that originated from several iOS-based phones. Since it is impossible to inspect modern iOS devices from the inside, we created offline backups of the devices, inspected them and discovered traces of compromise.
Read More -
Related rules
- Equation Group C2 Communication
- Potential Operation Triangulation C2 Beaconing Activity - Proxy
- DPRK Threat Actor - C2 Communication DNS Indicators
- Devil Bait Potential C2 Communication Traffic
- Equation Group DLL_U Export Function Load