Delaware, USA – September 11, 2019 – As Google and Mozilla bring the widespread use of DNS over the HTTPS protocol, more malware authors also adopt this perfect opportunity to hide malicious traffic. Proofpoint researchers discovered that PsiXBot started to abuse Google’s DoH service to retrieve the IPs for the command-and-control infrastructure in mid-August. The malware appeared in 2017, as a simple infostealer, capable of collecting cookies and credentials, as well as downloading and executing additional tools, but over time it acquired extra modules. One of the key features of PsiXBot is the use of .bit domains as C&C servers. To access them, malware previously reached a specific DNS server, but now it has hardcoded C&C domains and hides the DNS query to the C&C infrastructure behind HTTPS by placing addresses into GET requests to Google’s service as a variable. In the response, it receives a JSON blob with further instructions and modifications to its modules, which will almost certainly avoid detection by traffic analysis solutions.
PsixBot is distributed via spam emails or by Exploit kits, the latest malware version was distributed by the Spelevo exploit kit. Attackers actively modify their ‘offspring’ and add new modules. Today, PsixBot can also replace cryptocurrency addresses on the clipboard, send spam emails via Outlook and track when a victim visits ‘adult’ websites to start recording video and audio, which can be used for further blackmail.
Using DNS over HTTPS protocol for C&C communications should be a warning shot for the cybersecurity community as there are no simple solutions to help identify an infected host or the process of receiving instructions. Within a month and a half from the moment the first malware using this technique appeared, we can still detect such malware only by the tracks it left in the infected system. You can use Windows Security Monitor rule pack to visualize Windows basic security events, perform their statistical analysis and profiling and detects deviations that need to be investigated: https://my.socprime.com/en/integrations/windows-security-monitor-arcsight