From Google DNS to Tech Support Scam Sites: Unmasking the Malware Trail
A vast majority of website malware employ the ever-familiar HTTP/HTTPS protocols for its malicious activities. But, we also periodically confront more interesting hybrid malware leveraging various other internet protocols. For example, malware sending email spam, DDoS tools creating floods of UDP packets, bruteforce tools trying to guess SSH credentials, phishing and credit card skimming malware exfiltrating data via web sockets, telegram bots — the list goes on.
During a recent investigation, we encountered a rather interesting piece of JavaScript malware that indirectly uses the DNS protocol to obtain redirect URLs.