This article has been indexed from CircleID: Cybercrime
The initial findings used to uncover more Pareto botnet-related artifacts were collated by WhoisXML API security researcher Dancho Danchev.
The Pareto botnet, known for using almost a million infected Android devices to spoof people seemingly watching ads on smart TVs, was reportedly taken down recently through the collaboration of industry players, notably Roku and Google.
But has it been 100% shut down?
We looked at known indicators of compromise (IoCs) to determine other artifacts that may be connected to the threat and sought to find out if any of them are still up and running.
Known Pareto Botnet IoCs
Dubbed one of the most sophisticated botnets to date, Pareto has been tied to several IoCs that include:
- 21 command-and-control (C&C) server domains
- 9 IP addresses
- 34 subdomains hosted on Amazon Web Services (AWS)
We used these domains, IP addresses, and subdomains to look for artifacts that may have not been publicized yet and find out if the entire botnet’s infrastructure has indeed been decommissioned.
Using Domain and IP Intelligence Tools to Find Yet-Unpublished Artifacts
Running the 21 C&C server domains on DNS Lookup API gave us an additional four IP addresses, namely:
- 35[.]83[.]172[.]110
- 44[.]228[.]228[.]126
- 44[.]236[.]242[.]111
- 204[.]11[.]56[.]48
While none of them are currently being detected as “malicious” based on Threat Intelligence Platform (TIP) checks, all had Secure Sockets Layer (SSL) certificate-related issues.
Using the 13 IP addresses (nine from the IoC list and the additional four we just obtained) as Reverse IP/DNS Lookup search terms gave us at least 264 more domains (there may be more as the tool’s results are limited to 300 domains per query) that may be connected to the botnet or tapped for its operation in the future since they share hosts.
Based on TIP checks, 228 or 86% of the additional domains remain live. If they are part of the Pareto infrastructure then that could mean the botnet has not been taken down in its en
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: Are There More Properties Connected to the Pareto Botnet?