DNSChanger
August 25, 2024 ยท View on GitHub
| ID | X0005 |
| Type | Trojan |
| Aliases | None |
| Platforms | Windows |
| Year | 2011 |
| Associated ATT&CK Software | None |
DNSChanger
DNSChanger is used to change DNS settings to generate fraudulent advertising revenue.
ATT&CK Techniques
| Name | Use |
|---|---|
| Defense Evasion::File and Directory Permissions Modification (T1222) | DNSChanger sets file attributes. [2] |
| Execution::Shared Modules (T1129) | DNSChanger accesses PE headers. [2] |
Enhanced ATT&CK Techniques
| Name | Use |
|---|---|
| Impact::Generate Traffic from Victim::Advertisement Replacement Fraud (E1643.m02) | The malware alters DNS server settings to route to a rogue DNS server for the purpose of click hijacking. [1] |
| Defense Evasion::Disable or Evade Security Tools (F0004) | DNSChanger prevents the infected system from installing anti-virus software updates. [1] |
| Defense Evasion::Obfuscated Files or Information::Encoding-Standard Algorithm (E1027.m02) | DNSChanger encodes data using XOR. [2] |
| Defense Evasion::Process Injection (E1055) | DNSChanger attaches user process memory. [2] |
MBC Behaviors
| Name | Use |
|---|---|
| Cryptography::Encrypt Data::RC4 (C0027.009) | DNSChanger encrypts data using RC4 PRGA. [2] |
| Data::Encode Data::XOR (C0026.002) | DNSChanger encodes data using XOR. [2] |
| File System::Get File Attributes (C0049) | DNSChanger gets file attributes. [2] |
| File System::Read File (C0051) | DNSChanger reads files on Windows. [2] |
| File System::Set File Attributes (C0050) | DNSChanger sets file attributes. [2] |
| File System::Write File (C0052) | DNSChanger writes Fileon Windows. [2] |
| Memory::Allocate Memory (C0007) | DNSChanger allocates RWX memory. [2] |
| Operating System::Registry::Query Registry Value (C0036.006) | DNSChanger queries or enumerates registry values. [2] |
| Operating System::Registry::Set Registry Key (C0036.001) | DNSChanger sets registry keys. [2] |
Indicators of Compromise
SHA256 Hashes
- c2ef46a1b6292f28c0caf08013577e8559c4b0a71bf6fc058968061a3d71ede2
- af1713e216913a768ec63cbae98f1c78d6bcdd5e88138a4aba21661ef909ea24
References
[1] https://www.huffingtonpost.com/2011/11/09/click-hijack-hackers-online-ad-scam_n_1084497.html
[2] capa v4.0, analyzed at MITRE on 10/12/2022