A new backdoor malware called Mozart is using the DNS protocol to communicate with remote attackers to evade detection by security software and intrusion detection systems. The researchers have discovered that the malware uses DNS to receive instructions from attackers and to evade detection. Typically when a malware phones home to receive commands that should be executed, it will do so over the HTTP/S protocols for ease of use and communication but this can be detected by security software.
New Mozart Malware Gets Commands, Hides Traffic Using DNS – by @LawrenceAbramshttps://t.co/mJPukTckoD
— BleepingComputer (@BleepinComputer) February 24, 2020
There are legitimate external infrastructure use cases for TXT and similar Resource Records. The email and messaging integrity protocols DKIM, SPF, and Domainkey make use of DNS TXT, as one small example. In 2014, the US Army Research Lab released an open-source project, DShell, to decode C2 techniques in backdoors, RATs, and implants such as Immunity Security’s INNUENDO DNS Channel.
The secure web gateway infrastructure, or proxy, will resolve DNS on behalf of the clients that connect to it. IPv6 DNS can be dealt with in the same manner: configure it properly and many IT/Ops and Cybersecurity Defense gains will be made. Outside of Mozart, there are at least 5 malware families that mess with DNS tunneling and/or RRs such as TXT, PTR, CAA, or other less-known RRs for their stealthy communications. The threat actor Anunak (aka FIN7) has popularized use of DNS Tunneling in the past 3 years with DNSMessenger (aka TEXTMATE, which used TXT RRs) in many campaigns including MuddyWater, as well as Iranian actors with Greenbug (related to ISM Agent/Door), including the famous APT34’s OilRig campaign.
Mozart was also the name of a malware family originally discovered in 2015 during the Home Depot data breach where it was found to act as a Point-of Sale (POS) RAM (memory) scraper. This new Mozart must not be confused with this older, unrelated variety.
Using the DNS protocol for malware command and control operations can have advantages for cyber criminals. Using DNS can allow the attackers to bypass outbound communication restrictions or web filters and many organizations don’t have tools in place to monitor or alert on suspicious DNS traffic. However, the DNS protocol itself is unencrypted and is much easier to monitor than encrypted HTTPS. This makes it easier for defenders to build detection signatures to flag common command encoding like base64 for further analysis.
This type of attack is supporting evidence that criminal hackers are evolving their tactics, tools and procedures to elude the cybersecurity control systems of organizations. By using DNS to collect information from .txt files, represents another way to transmit the commands needed from the criminal groups command and control (C2) servers. Organizations with a robust cybersecurity program should be monitoring the DNS and HTTP/S traffic from their endpoints, but now need to add further scrutiny to the DNS requests and examine the contents of the request to determine its validity.
This kind of attack is like buying a suitcase and putting expensive items inside of it and the cashier doesn\’t open it to look inside to make sure the buyer isn\’t doing anything malicious.