Open Source Context
CNAME and Control
It’s always DNS… and in this case, it was also a state sponsored RAT cleverly designed to accept C2 using CNAME records. We’ll break apart the encoding and (accidental) detection methodology which discovered a Chinese state actor’s attack on the DIB and related entities.
Donald McCarthy is director of field operations at Open Source Context, where he works to empower security teams and researchers with passive DNS and passive BGP data.