We saw agafurretor appear on lots of networks. In addition to it being pervasive, this domain had the double whammy of being the top malicious block on the entire network – it is pervasive right now. Notably, the top spot is very often related to single IP addresses generating a ton of activity due to an infection – but not in this case.
Well, a PUP isn’t ransomware, so can it wait?
We will be the first to admit that what usually makes headlines is zero-day attacks based on critical events (i.e. fake vaccine clinics or fake CRA at tax time). If we saw that kind of pervasive activity, it would trigger us to communicate with our partners and perhaps issue a more formal announcement. The point of this blog is simply to point out that just because it is “run of the mill” doesn’t mean it isn’t a real problem for IT teams.
While serving up advertisements isn’t the worst problem in the world, the fact that it is on the network shows user behaviour that isn’t desirable. It consumes employee time and your network resources without your permission. This spike in agafurrator is something that IT teams should consider taking a look at on their networks. It also underscores that even for resource-constrained teams, using DNS data to monitor the network is a valuable activity that doesn't necessarily consume lots of hours.