Dangerous DNS malware infects over 30,000 websites - so be on your guard

News
By published

DetourDog is using compromised sites to deliver infostealers, experts warn

how to protect your pc from malware
(Image credit: Pixabay)
  • DetourDog malware campaign compromised over 30,000 websites using DNS redirection
  • Victims were silently redirected to sites hosting Strela Stealer, a modular infostealer
  • Attack remained undetected for months due to DNS-level manipulation and infrastructure abuse

Security researchers have spotted an enormous malware campaign which managed to quietly compromise more than 30,000 websites, as well as countless visitors.

Researchers from Infoblox detailed a campaign they dubbed DetourDog, which targeted unprotected servers with a piece of malware of the same name, forcing the servers to redirect the visitors.

Since the DNS requests are made from the website itself, rather than the visitors, they are invisible to the victims. This also helped the campaign remain undetected for as long as it did - several months.

Strela Stealer

Infoblox’s analysis also revealed that the attackers used a combination of compromised registrars, DNS providers, and misconfigured domains to propagate DetourDog.

The victims are redirected from legitimate (but compromised) websites, to those hosting an infostealer called Strela Stealer. From there, the malware was delivered using standard drive-by techniques, such as prompting downloads or exploiting browser vulnerabilities, depending on the victim’s environment.

Strela Stealer itself was first spotted in late 2022. At the time, it was built just to exfiltrate email credentials from Microsoft Outlook and Thunderbird.

However, it evolved throughout the years, and is now described as a modular infostealer that can extract credentials from multiple sources, as well as browsers. Once deployed, it communicates with command-and-control servers to exfiltrate stolen data and receive updates, making it a persistent threat.

Its attribution has not been established yet, but the word ‘strela’ means ‘arrow’ in Russian, and most other Slavic languages (with some variation).

Infoblox notified all affected domain owners, as well as relevant authorities, it was further said in the report.

Victims are apparently working on cleaning up their infrastructure, but the full scope of the damage remains unclear. Security experts recommend that organizations audit their DNS configurations, monitor for unusual traffic patterns, and deploy DNS security solutions to detect and block similar threats.

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button!

And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

You might also like

Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.