Newly Composed Mozart Malware Found To Be Highly Evasive – Expert Insight

A new backdoor malware called Mozart is using the DNS protocol to communicate with remote attackers to evade detection by security software and intrusion detection systems. The researchers have discovered that the malware uses DNS to receive instructions from attackers and to evade detection. Typically when a malware phones home to receive commands that should be executed, it will do so over the HTTP/S protocols for ease of use and communication but this can be detected by security software.

Experts Comments

February 26, 2020
Andre Gironda
VP
Cerberus Sentinel
There are legitimate external infrastructure use cases for TXT and similar Resource Records. The email and messaging integrity protocols DKIM, SPF, and Domainkey make use of DNS TXT, as one small example. In 2014, the US Army Research Lab released an open-source project, DShell, to decode C2 techniques in backdoors, RATs, and implants such as Immunity Security’s INNUENDO DNS Channel. The secure web gateway infrastructure, or proxy, will resolve DNS on behalf of the clients that connect to.....Read More
There are legitimate external infrastructure use cases for TXT and similar Resource Records. The email and messaging integrity protocols DKIM, SPF, and Domainkey make use of DNS TXT, as one small example. In 2014, the US Army Research Lab released an open-source project, DShell, to decode C2 techniques in backdoors, RATs, and implants such as Immunity Security’s INNUENDO DNS Channel. The secure web gateway infrastructure, or proxy, will resolve DNS on behalf of the clients that connect to it. IPv6 DNS can be dealt with in the same manner: configure it properly and many IT/Ops and Cybersecurity Defense gains will be made. Outside of Mozart, there are at least 5 malware families that mess with DNS tunneling and/or RRs such as TXT, PTR, CAA, or other less-known RRs for their stealthy communications. The threat actor Anunak (aka FIN7) has popularized use of DNS Tunneling in the past 3 years with DNSMessenger (aka TEXTMATE, which used TXT RRs) in many campaigns including MuddyWater, as well as Iranian actors with Greenbug (related to ISM Agent/Door), including the famous APT34’s OilRig campaign. Mozart was also the name of a malware family originally discovered in 2015 during the Home Depot data breach where it was found to act as a Point-of Sale (POS) RAM (memory) scraper. This new Mozart must not be confused with this older, unrelated variety.  Read Less
February 26, 2020
Chris Clements
VP
Cerberus Sentinel
Using the DNS protocol for malware command and control operations can have advantages for cyber criminals. Using DNS can allow the attackers to bypass outbound communication restrictions or web filters and many organizations don’t have tools in place to monitor or alert on suspicious DNS traffic. However, the DNS protocol itself is unencrypted and is much easier to monitor than encrypted HTTPS. This makes it easier for defenders to build detection signatures to flag common command encoding.....Read More
Using the DNS protocol for malware command and control operations can have advantages for cyber criminals. Using DNS can allow the attackers to bypass outbound communication restrictions or web filters and many organizations don’t have tools in place to monitor or alert on suspicious DNS traffic. However, the DNS protocol itself is unencrypted and is much easier to monitor than encrypted HTTPS. This makes it easier for defenders to build detection signatures to flag common command encoding like base64 for further analysis.  Read Less
February 26, 2020
James McQuiggan
Security Awareness Advocate
KnowBe4
This type of attack is supporting evidence that criminal hackers are evolving their tactics, tools and procedures to elude the cybersecurity control systems of organizations. By using DNS to collect information from .txt files, represents another way to transmit the commands needed from the criminal groups command and control (C2) servers. Organizations with a robust cybersecurity program should be monitoring the DNS and HTTP/S traffic from their endpoints, but now need to add further scrutiny .....Read More
This type of attack is supporting evidence that criminal hackers are evolving their tactics, tools and procedures to elude the cybersecurity control systems of organizations. By using DNS to collect information from .txt files, represents another way to transmit the commands needed from the criminal groups command and control (C2) servers. Organizations with a robust cybersecurity program should be monitoring the DNS and HTTP/S traffic from their endpoints, but now need to add further scrutiny to the DNS requests and examine the contents of the request to determine its validity. This kind of attack is like buying a suitcase and putting expensive items inside of it and the cashier doesn't open it to look inside to make sure the buyer isn't doing anything malicious.  Read Less
What do you think of the topic? Do you agree with expert(s) or share your expert opinion below.
Be part of our growing Information Security Expert Community (1000+), please register here.

Share on facebook
Share on twitter
Share on linkedin

Recent Posts

Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics

Twitter Facebook-f Linkedin Youtube

Working With Us

The Pages

Our Contributing Experts