CTI take-aways from the Mueller indictment

In this article, we provide an overview of the CTI that can be gathered from the reporting on the election hacking that was released yesterday. While it does not really include any new TTPs, it has newsworthy elements. Based on a review of the report, this article offers some important take-aways for CTI researchers and practitioners.

Cerber ransomware introduces malware coordination via the bitcoin blockchain

In order for malicious software to receive configuration information or commands, malware needs to be able to locate and connect to its owner. As hard-coded addresses are easy to block and thus render the malware installation inoperable, malware writers have turned to dynamically generated addresses. We describe an entirely new principle of domain generation, actively deployed in the Cerber ransomware, which finds and coordinates with its owner based on transaction information in the bitcoin blockchain. This allows the malware author to dynamically update the location of the server in real-time, and as the malware directly goes to the right location no longer generates a sequence of NXDomain responses.