For example, the attacker can instruct the malware to change from DNS to ICMP by sending the command “conn icmp ”.
After checking the registration information for each of these domains we identified another tie to the registrant and Bachosens activity.
We now knew the registrant of the infrastructure used to compromise an automotive technology supplier was also associated with an automotive parts shop in Moldova.
Based on the Russian strings in the malware infrastructure, Russian characters used for data size suffixes, and the open source traces left by the attacker, we are reasonably confident the attacker is located in Tiraspol, Moldova and is associated with the automotive industry.
The initial facts could have led one to believe this was a highly sophisticated operation carried out by a nation state, however, by following the evidence and connecting the dots we were able to develop and see the complete picture of the life cycle of the Bachosens attacks against the victim organizations.