Fast flux refer to those networks used by several botnets to hide the domains used to download malware or host phishing site. It can also refer to type of network used to host command-and-control centers or proxies used by those botnets, making them difficult to find and even more difficult to dismantle. In fast flux network, multiple IPs are associated with a domain name and these IPs undergo change as frequently as few minutes!.e.g. Avalance botnet was having 80,0000 domains under its control.
Most machines on this network are not actually responsible for hosting and downloading malicious content for victims. The task is reserved for few servers while the rest act as re-directors that help botnet owners to maske real addresses of the system.
It is characterized by multiple individual nodes registering and de-registering IP addresses as a part of DNS A records for a single domain name. These registrations have very short lifespans( 5 min or less) and creata a constantly changing flow of addresses when attempting to access a specific domain.
Moreover the domains used are hosted on bulletproof servers having good reputation and it's difficult to take them down at short notice.
This type of network is similar to single flux network but with additional sophistication and it makes it difficult to locate the machine serving the malware. In this case, zombie computers that are part of botnet are used as proxies and it prevents the victim from interacting directly with the server hosting the malware. This is the concealment stratergy adopted by cyber criminals to keep the infrastructure running. In fact, this networks are typically characterized by multiple nodes registering and de-registering as a part of DNS NS records. Both DNS A records and authoritative NS records for malicious domains are continually changed in round robin manner and advertized into fast flux network.
Ref:
- https://www.thesecuritybuddy.com/dos-ddos-prevention/what-is-fast-flux-network/
- https://resources.infosecinstitute.com/fast-flux-networks-working-detection-part-1/#gref
- https://www.welivesecurity.com/2017/01/12/fast-flux-networks-work/
- https://www.akamai.com/uk/en/multimedia/documents/white-paper/digging-deeper-in-depth-analysis-of-fast-flux-network.pdf
These malwares are specially developed to take over computer resources and use them for cryptocurrency mining without explicit permissions. Cyber criminals have turned to writing cryptomining malware as a way to harness the computing power of large number of computers, smartphones to help them generate revenue from cryptocurrency mining. A single cryptocurrency mining botnet can net cyber criminals more than $30,000 per month as per Kaspersky report.
In addition to malwares specifically designed to mine cryptocurrency , cyber criminals are using browser based cryptocurrency mining to help them generate revenue. Coinhive is a software program that packages all the tools needed to easily enable website owners to use stealth scripting to force visitors into crypto currency mining while visiting their site, in most case without explicit permission.
RAT is a sort of swiss army knief program consisting of many malicious functionalities.
- Stealing of username and passwords
- Logging of keystrokes
- Gathering system information
- Exfiltration of data
- Command-and-control activities
- Downloading of malwares for further actions
- Accessing and uploading sensitive files
- Recording of audio/video
Typical Infection vectors - email attachments and malicious downloads