Sandiflux: Another botnet using Fast Flux technology has emerged

Network security company, Proofpoint said on Friday that their research team has observed a new Fast Flux infrastructure called “SandiFlux” that can be used to spread malware and has recently acted as a proxy for GandCrab’s ransomware infrastructure.

A botnet is a collection of computers infected with a large number of hosts. An attacker can use command and control (C&C) servers to control it to attack other users and sites on the Internet. In earlier botnets, attackers often hard-coded the C&C server’s domain name or IP address into malware, and the infected computer would use this information to periodically access the C&C server for commands. However, such a mechanism allows security researchers to obtain the domain name or IP address of the C&C server through reverse malware and then use this information to locate the C&C server, thereby destroying the entire botnet. In order to ensure the security of the C&C server, the attacker chose to use Fastflux technology to improve the concealment of the C&C server.

For DNS servers, when we do a DNS query on the same domain name, the results returned at least for a long period of time will not change, regardless of the number of queries. Fast flux technology can constantly change the domain name and The mapping of IP addresses. In other words, in a short time query domain name deployed using Fastflux technology, we will get different results, which makes the C&C server as a botnet difficult to locate.

Proofpoint said that their findings come from long-term observations of the DarkCloud botnet. DarkCloud has been using Fastflux technology since 2014. Most infected computers that makeup Dark Cloud are concentrated in Ukraine and Russia (77.4% and 14.5%, respectively).

Since December 2017, Proofpoint has found that some FastFlux domains have no overlap with DarkCloud nodes. So they decided to map and monitor the infrastructure separately and named it “SandiFlux” as a new infrastructure to track.

Unlike DarkCloud, SandiFlux nodes are concentrated in Romania and Bulgaria (46.4% and 21.3%, respectively), but also a small number of other areas, such as Europe, Africa, the Middle East and southern Asia.

On March 27, 2018, Proofpoint noticed that SandiFlux has been used as an agent for the command and control of GandCrab ransomware.

Image: proofpoint

Proofpoint stated that although they have not observed any overlap between DarkCloud and SandiFlux in the past four months, they cannot assert that there is no correlation between the two infrastructures. Instead, they suspect that the two infrastructures are operated by the same organization.

Proofpoint noted that Fastflux has proven to be a very powerful DNS technology that can allow darknet websites, malicious infrastructure, and other network-based malicious operations to escape security researchers or law enforcement personnel.

After the DarkCloud botnet was first discovered in 2016, it continued to grow in size with the help of Fastflux technology. And now, the new SandiFlux botnet has emerged, and the nodes of infected hosts are more widely distributed. This means that the threats faced by the victims are not only due to the reduction of equipment performance and bandwidth caused by botnets, but also the increasing threat from Fast Flux technology.