Developers Beware: Malware Hijacks Microsoft Dev Tunnels for Sneaky C2 Connections!
New Njrat samples are now hijacking Microsoft dev tunnels to connect to C2 servers. Imagine your local service getting a surprise visit from malware! If you’re not using this feature, it’s time to hunt for devtunnels.ms in your DNS logs—because who wants a malware party on their server?
Hot Take:
Well, folks, it looks like cybercriminals have found a new playground in Microsoft Dev Tunnels! Who knew something designed for friendly collaboration could become a dark alley for Njrat hackers? It’s the digital equivalent of turning a neighborhood lemonade stand into a speakeasy. Cheers to the ingenuity, but maybe let’s keep the tunnels for the developers, shall we?
Key Points:
- NJRat samples are using Microsoft Dev Tunnels to connect to their Command and Control (C2) servers.
- Dev Tunnels are meant for secure testing, debugging, and collaboration by exposing local services to the Internet.
- Two samples of NJRat malware have been identified with the same Import Hash but different dev tunnel URLs.
- The malware is configured to propagate through USB devices if a certain variable is set to true.
- Monitoring DNS logs for devtunnels.ms could be a good defense strategy.
Already a member? Log in here