Mozart Malware Receives Instructions via DNS

Delaware, USA – February 26, 2020 – Using DNS traffic for command-and-control communications by advanced threat actors is not uncommon. Furthermore, more and more malware has been switching to DNS-over-HTTPS traffic, and this is reasonable, given that this protocol will be used by popular browsers by default soon and Mozilla has already enabled this feature for US users. But let’s back to DNS communications and malware. Vitali Kremez analyzed the new Mozart backdoor, which abuses the DNS protocol for communications with adversaries’ infrastructure evading detection by security solutions. “The initial observed delivery Mozart DNS loader method was likely spearphishing via trojanized PDF” 15-feb-sell-out.pdf “(low detection) which downloads and executes Base64-encoded payload from https://masikini[.]Com/CarlitoRegular[.]zip. The payload is executed via the usual JS ActiveXObject WScript.Shell API processor. The scope of the bot activity is yet to be confirmed. However, it is assessed with moderate confidence that the malware received at least a few hundreds of infections,” expert states.

The malware copies itself to a random named executable in the Startup folder to achieve persistence and then starts communications with a hardcoded DNS server issuing the DNS requests to receive instructions or configuration data. Researchers have not yet been able to spot the commands issued by adversaries. Perhaps the attackers are just getting ready to deliver the main blow and waiting until all the systems they are interested in will be infected. You can uncover suspicious DNS traffic with your existing security tools and DNS Security Check rule pack, it analyzes traffic & processes server logs (like Microsoft Trace Logs, BIND or other) to uncover tunneling and malware activity https://my.socprime.com/en/integrations/dns-security-check