C2/Generic-A Originating from AFCd?

Question

Hi everyone, looks like I have a similar situation to a few people. 
 NO Windows machines on the network, just OSX and Linux (QNAP). Woke up to over 1400 emails regarding ATP C2/Generic-A. But the originiating seems to be from AFCd? Any idea what this is? 
 Googling has given me no ideas. Any ideas anyone?

KashifMoazzam · Answer

I am having the same issue. It seems to be attempting to reach the domain <random>.app.anmorencai.com 
 Some information I have found: 
 Parent server gave glue for app.anmorencai.com to be app.anmorencai.com.qingcdn.com but we resolve that hostname to 183.61.63.103 183.61.63.103 183.61.63.103 183.61.63.103 183.61.63.103 183.61.63.103 
 Local NS list does not match Parent NS list 140.205.228.52 was reported by the parent, but not locally 140.205.228.51 was reported by the parent, but not locally 183.61.63.103 was reported locally, but not by the parent 
 Though I am unsure what the Origin AFCd is?

JohnRiley · Answer

Because of the massive amount of traffic I was receiving, I had my ISP change my static address yesterday. 
 All traffic stopped, and still no activity today. 
 Quick fix, but would still be interested in the root cause, and possible trigger for them to even look at my IP to begin with. 
 I'm not hosting anything on my IP, and did quick virus, malware scan across all systems just in case - nada.

MichaelMuenz · Answer

OK, I have the solution/explanation. 
 
 If you do a 
 dig @yourWAN pqyoebe38318.app.anmorencai.com any 
 you can reproduce the alert. 
 
 So this means the ATP listens in front of the firewall rules, regardless of the DNS service is running on the WAN or not. 
 
 Be sure that you aren't infected :)

DominicSchmidl · Answer

Hey Folks, 
 We did some further investigation on that issue and it turned out that it was not related to an ATP pattern update. The cause for the issue happening is due to a botnet, that started to send UDP DNS pakets through malicious domains. Those DNS requests were detected by the ATP rather than being blocked by the packet filter. After the botnet stopped sending DNS requests which stopped ATP reporting the alerts. 
 We are working to improve the paket handling that those kind of traffic will be detected before it reaches the ATP engine. 
 
 Best regards, 
 
 Dominic Schmidl