In December, we introduced a target list of more than 20 malware family DGAs provided by our friends over at 360 Research Team. Continuing their great work, we are happy to integrate 7 new malware DGAs:

  1. Vawtrak: (aka Neverquest, Snifula) An information-stealing malware family used to gain unauthorized access to bank accounts through online banking websites. Infected machines form botnets that steal login credentials from a wide variety of industry organizations, including financial. These credentials are used alongside injected code and proxy connections through victim machines, initiating fraudulent transfers to bank accounts controlled by Vawtrak administrators.

  2. Tofsee: A multi-purpose malware reportedly in service since 2008. It features a number of modules that are used to carry out activities such as sending spam messages, conducting click fraud, mining cryptocurrency and more. Infected systems become part of the Tofsee spam botnet and are used to send large volumes of spam messages to infect additional systems and increase the overall size of the botnet.

  3. Rovnix: An advanced malware tool that is being used to target customers at 14 major Japanese banks.

  4. Gspy: A Trojan that steals sensitive data and allows unauthorized access and control of an affected computer. It also steals user credentials for certain applications.

  5. Ranbyus: A Trojan that steals banking information, among other personal data.

  6. Chinad: A bot primarily designed to carry out DDoS attacks using victim computers, generally in China.

  7. Vidro: SMS Trojan used to extract money using premium SMS services.

The "DGAs supplied by 360.cn feeds” have been updated with the 7 new malware DGAs. The different malware families also have their own targets in ThreatSTOP’s expert mode, within the policy editor. You can select to block each one individually.

Please note – we have also updated the “BOTNETS” and “TSBanking domains” targets to include the relevant bots in it.

We highly recommend updating your policies to include these new threats.

If you are not currently subscribed to the ThreatSTOP DNS FW and cannot add these new targets, you can upgrade by contacting us at 1-855-958-7867 or success@threatstop.com.