Fidelis Threat Advisory #1016
Pushdo It To Me One More Time
Once thought to be defunct, the resilient Pushdo has surfaced with infections observed in more than 50 countries, with a substantial infection rate located in the Asia-Pacific region. Based on data aggregated from a controlled sinkhole, Fidelis Cybersecurity has observed some notable changes with the primary command and control (C&C) and conducted in-depth analysis of the secondary C&C Domain Generation Algorithim (DGA). In order to support network defenders, Fidelis Cybersecurity is offering a new, free data feed of verified indicators to support the detection and mitigation of Pushdo. Our intention behind revealing these details is to enable widespread detection and remediation of this threat as well as to force a comprehensive retooling exercise on the operators of the Pushdo botnet.
- Pushdo continues to affect large numbers of users worldwide with higher concentrations observed in countries with high rates of pirated software usage such as India, Indonesia, Turkey and Vietnam.
- Pushdo has evolved it’s Command-and-Control techniques beyond what has previously been published in the research community. The DGA component of this infrastructure uses an elaborate algorithm and has moved entirely to domains registered in Kazhakstan (.kz).
- Pushdo continues to deliver a variety of secondary payloads such as Cutwail, Dyre, Fareit, and Zeus. These malware families are known to be used for DDoS and credential theft purposes.
- Network defenders should operationalize the indicators that accompany this report, including the data feed containing domains based on our having reversed the DGA.
- Defenders can also utilize the Yara rule for Fareit detection that is provided in this report.
To see the full report and findings, visit the Fidelis Threat Advisory #1016