Pawn Storm Group Makes Trend Micro IP Address a C&C Server

An anonymous reader writes: Following Trend Micro's disclosure of Russian hacking group Pawn Storm's 7-year campaign against military-industrial targets in and related to the United States, the security company has today announced that one of the IP addresses it owns has been 'designated' by the hackers as a C&C server for their spear-phishing scenario. The intent of the DNS record redirection, according to the company, is likely to be to convince others that it has been hacked (which it hasn't), or else to push one of its IP addresses into administrative blacklists.

Since the summary is impenetrably obfuscated

[qubezz]

Here's the narrative:

- Trend Micro documented a 0-day Java exploit, leading to it's patching http://blog.trendmicro.com/tre...

- The hacking org Operation Pawn Storm that was using the exploit got all pissy, and redirected a domain that computers infected with their malware contact, pointed it to an IP address in Trend Micro.

The domain names contacted for command and control instructions are usually randomly encoded and encrypted, and rotate on a regular basis. The crackers know what the next domain name to be used is, but they are hard to deduce from the binary. Infected systems will likely move on to contacting the next domain/ip looking for remote control instructions in hours/days.

Re:ISP?

No, as a C&C server address in their bot, so as to send C&C traffic to a TrendMicro ip address in an attempt to get Spamhaus et al to add the /24 to the blocklist.