Who Me Too'd this topic

Who Me Too'd this topic

L2 Linker

Command & Control or Just Ads?

In the last few days I have seen alerts for berbew.jb C2 traffic(192730665) and dynamer.bayo C2 traffic(192442683).  The odd thing here is that in the alert the same url is being accessed (ad.afy11.net/ad?mode=7&publisher_dsp_id=67&external_user_id=XXXXXXXXXXXXXXXXXXX) and this seems like it should just be web advertising.  I have checked the system with multiple AV products and it comes back clean.  

 

From what I have read these signatures were created by wildfire.  Perhaps there is a false positive here?  Is there somewhere that a person could get more technical details on the traffic that is sent by these C&C communications?

 

bayo.PNGberbew.PNG

Who Me Too'd this topic