Block `Dark Utilities` C2-as-a-Service cryptojacking service

summercms commented 2 years ago

Website with example

https://github.com/Cisco-Talos/IOCs/blob/main/2022/08/dark-utilities.txt

Domain causing the CPU spike

dark-utilities.xyz
dark-utilities.pw
dark-utilities.me
ijfcm7bu6ocerxsfq56ka3dtdanunyp4ytwk745b54agtravj2wr2qqd.onion.pet
bafybeidravcab5p3acvthxtwosm4rfpl4yypwwm52s7sazgxaezfzn5xn4.ipfs.infura-ipfs.io

Screenshot

https://user-images.githubusercontent.com/57409060/183096804-32b10c16-a874-4685-9705-3c33f5b3dad6.png

Dark Utilities emerged in early 2022 and offers full-blown C2 capabilities both on the Tor network and on the clear web. It hosts payloads in the Interplanetary File System (IPFS - https://ipfs.tech/) - a decentralized network system for storing and sharing data.

https://user-images.githubusercontent.com/57409060/183096853-3e08809a-f62f-4e4e-8688-62c7bb9c7557.png

The administrative panel comes with multiple modules for various types of attack, including distributed denial-of-service (DDoS) and cryptojacking.

smed79 commented 2 years ago

Do you have an example of cryptojacked site or where is embed unbeknownst to the user?

summercms commented 2 years ago

@smed79 @hoshsadiq

You can read the technical paper here: http://blog.talosintelligence.com/2022/08/dark-utilities.html

Software has over around 3,000 active hackers using it.
It's using Monero to crypto jack.
Endpoints that you can block are as follows:

Normal domains

dark-utilities.xyz
dark-utilities.pw
dark-utilities.me

Tor domains

ijfcm7bu6ocerxsfq56ka3dtdanunyp4ytwk745b54agtravj2wr2qqd.onion.pet

IPFS domains

bafybeidravcab5p3acvthxtwosm4rfpl4yypwwm52s7sazgxaezfzn5xn4.ipfs.infura-ipfs.io

hoshsadiq / adblock-nocoin-list