In the last few days I have seen alerts for berbew.jb C2 traffic(192730665) and dynamer.bayo C2 traffic(192442683). The odd thing here is that in the alert the same url is being accessed (ad.afy11.net/ad?mode=7&publisher_dsp_id=67&external_user_id=XXXXXXXXXXXXXXXXXXX) and this seems like it should just be web advertising. I have checked the system with multiple AV products and it comes back clean.
From what I have read these signatures were created by wildfire. Perhaps there is a false positive here? Is there somewhere that a person could get more technical details on the traffic that is sent by these C&C communications?
We're seeing the same traffic. Hits on VT are mostly for adware, and few for Trojan but no IOC details are available. Sites users are visiting does not appear to be consistent either. We don't have PCAP available for this signature traffic as this signature if MEDIUM.
Any updates from PAN?
We opened a ticket @ PAN
The URL ad.afy11.net is used by advertising providers, the clients which hit the URL are clean. (@DIRTT already mentioned this)
The two threads IDs are disabled because of false-positive hits.
"The signature TID 192442683 has been disabled starting from 01/20/2018 therefor it should not be triggered once the customer updates AV database to the latest version."
It seems that are currently many changes to C2C / ad traffic and most of them are false-positives (in our case).
Click Accept as Solution to acknowledge that the answer to your question has been provided.
The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!
These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!
The LIVEcommunity thanks you for your participation!