www.bleepingcomputer.com
Open in
urlscan Pro
104.20.60.209
Public Scan
URL:
https://www.bleepingcomputer.com/news/security/new-mozart-malware-gets-commands-hides-traffic-using-dns/
Submission: On March 26 via api from US
Submission: On March 26 via api from US
Form analysis 6 forms found in the DOM
https://www.bleepingcomputer.com/search/
<form action="https://www.bleepingcomputer.com/search/">
<input type="hidden" name="cx" value="partner-pub-0920899300397823:3529943228">
<input type="hidden" name="cof" value="FORID:10">
<input type="hidden" name="ie" value="UTF-8">
<input type="search" name="q" placeholder="Search Site">
</form>https://www.bleepingcomputer.com/search/
<form action="https://www.bleepingcomputer.com/search/">
<input type="hidden" name="cx" value="partner-pub-0920899300397823:3529943228">
<input type="hidden" name="cof" value="FORID:10">
<input type="hidden" name="ie" value="UTF-8">
<input type="search" name="q" placeholder="Search Site">
</form>POST //bleepingcomputer.us10.list-manage.com/subscribe/post?u=3e2b3b692f780cdff40d45346&id=30c98e654e
<form action="//bleepingcomputer.us10.list-manage.com/subscribe/post?u=3e2b3b692f780cdff40d45346&id=30c98e654e" method="post" target="_blank" novalidate="">
<input type="email" name="EMAIL" placeholder="Email Address...">
<div style="position: absolute; left: -5000px;"><input type="text" name="b_3e2b3b692f780cdff40d45346_30c98e654e" tabindex="-1" value=""></div>
<input type="submit" value="Submit" class="bc_sub_btn">
</form>POST //bleepingcomputer.us10.list-manage.com/subscribe/post?u=3e2b3b692f780cdff40d45346&id=30c98e654e
<form action="//bleepingcomputer.us10.list-manage.com/subscribe/post?u=3e2b3b692f780cdff40d45346&id=30c98e654e" method="post" target="_blank" novalidate="">
<input type="email" name="EMAIL" placeholder="Email Address...">
<div style="position: absolute; left: -5000px;"><input type="text" name="b_3e2b3b692f780cdff40d45346_30c98e654e" tabindex="-1" value=""></div>
<input type="submit" value="Submit" class="bc_sub_btn">
</form>POST https://www.bleepingcomputer.com/forums/index.php?app=core&module=global§ion=login&do=process&return=https://www.bleepingcomputer.com/news/security/new-mozart-malware-gets-commands-hides-traffic-using-dns/
<form action="https://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=login&do=process&return=https://www.bleepingcomputer.com/news/security/new-mozart-malware-gets-commands-hides-traffic-using-dns/"
method="post">
<div class="bc_form_feild">
<label for="ips_username">Username</label>
<input type="text" id="ips_username" name="ips_username">
</div>
<div class="bc_form_feild">
<label for="ips_password">Password</label>
<input type="password" id="ips_password" name="ips_password">
</div>
<div class="bc_form_feild">
<div class="bc_remember">
<input id="remember" type="checkbox" name="rememberMe" value="None" checked="checked">
<label for="remember"></label>
<span>Remember Me</span>
</div>
<div class="bc_anon">
<input id="anonymous" type="checkbox" name="anonymous" value="None">
<label for="anonymous"></label>
<span>Sign in anonymously</span>
</div>
</div>
<div class="bc_btn_wrap">
<input type="hidden" name="auth_key" value="880ea6a14ea49e853634fbdc5015a024">
<input type="submit" value="Login" class="bc_sub_btn">
<a href="https://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=login&serviceClick=twitter&return=https://www.bleepingcomputer.com/news/security/new-mozart-malware-gets-commands-hides-traffic-using-dns/" class="bc_twitter_btn"><img src="https://www.bleepstatic.com/images/site/login/twitter.png" width="28" height="24" alt="Sign in with Twitter"> Sign in with Twitter</a>
<hr>
<p>Not a member yet? <a href="https://www.bleepingcomputer.com/forums/index.php?app=core&module=global&section=register">Register Now</a></p>
</div>
</form><form>
<input type="hidden" id="comment-id-report" value="0">
<ul>
<li>
<label><input type="radio" name="comment-report-reason" value="Spam">Spam</label>
</li>
<li>
<label><input type="radio" name="comment-report-reason" value="Abusive or Harmful">Abusive or Harmful</label>
</li>
<li>
<label><input type="radio" name="comment-report-reason" value="Inappropriate content">Inappropriate content</label>
</li>
<li>
<label><input type="radio" name="comment-report-reason" value="Strong language">Strong language</label>
</li>
<li>
<label><input type="radio" name="comment-report-reason" value="Other">Other</label>
</li>
<li id="comment-report-other-reason-wrap" style="display:none;">
<textarea rows="2" cols="2" id="comment-report-other-reason"></textarea>
</li>
</ul>
<p><a href="https://www.bleepingcomputer.com/posting-guidelines/">Learn more</a> about what is not allowed to be posted.</p>
</form>Text Content
We value your privacy
We and our partners use technologies, such as cookies, and process personal
data, such as IP addresses and cookie identifiers, to personalise ads and
content based on your interests, measure the performance of ads and content, and
derive insights about the audiences who saw ads and content. Click below to
consent to the use of this technology and the processing of your personal data
for these purposes. You can change your mind and change your consent choices at
any time by returning to this site.
MORE OPTIONS I accept
Change consent See Vendors
Powered by
*
*
*
*
*
*
* News
* Featured
* Latest
* Three More Ransomware Families Create Sites to Leak Stolen Data
* HPE Warns of New Bug That Kills SSD Drives After 40,000 Hours
* Microsoft Fixes Windows Defender Scan Bug With New Update
* Google Chrome Adding Option to Always Show Full URLs
* Get the Pay What You Want: Cisco Networking & Cloud Computing
Certification Bundle Deal
* Chinese Hackers Use Cisco, Citrix, Zoho Exploits In Targeted Attacks
* WordPress Malware Distributed via Pirated Coronavirus Plugins
* Google Chrome Adding Option to Always Show Full URLs
* Downloads
* Latest
* Most Downloaded
* STOPDecrypter
* AuroraDecrypter
* FilesLockerDecrypter
* 360 Total Security
* AdwCleaner
* ComboFix
* RKill
* Junkware Removal Tool
* Virus Removal Guides
* Latest
* Most Viewed
* Ransomware
* Remove the Srchus.xyz Search Redirect
* Remove the Vitosc.xyz Search Redirect
* Remove the Wisip Chrome Extension
* Remove the Press Allow to watch the video Notification Page
* Remove Security Tool and SecurityTool (Uninstall Guide)
* How to remove Antivirus 2009 (Uninstall Instructions)
* How to Remove WinFixer / Virtumonde / Msevents / Trojan.vundo
* How to remove Google Redirects or the TDSS, TDL3, or Alureon rootkit using
TDSSKiller
* Locky Ransomware Information, Help Guide, and FAQ
* CryptoLocker Ransomware Information Guide and FAQ
* CryptorBit and HowDecrypt Information Guide and FAQ
* CryptoDefense and How_Decrypt Ransomware Information Guide and FAQ
* Tutorials
* Latest
* Popular
* How to Translate a Web Page in Google Chrome
* How to Install and Uninstall Google Chrome in Windows
* How to Disable Bing Search in the Windows 10 Start Menu
* Fix a Missing VCRUNTIME140.dll DLL Error in Windows
* How to start Windows in Safe Mode
* How to remove a Trojan, Virus, Worm, or other Malware
* How to show hidden files in Windows 7
* How to see hidden files in Windows
* Deals
* Categories
* eLearning
* IT Certification Courses
* Gear + Gadgets
* Security
* Forums
* More
* Startup Database
* Uninstall Database
* File Database
* Glossary
* Chat on Discord
* Send us a Tip!
* Welcome Guide
* Home
* News
* Security
* New Mozart Malware Gets Commands, Hides Traffic Using DNS
* AddThis Sharing Buttons
Share to FacebookFacebook192Share to TwitterTwitterShare to
LinkedInLinkedInShare to RedditReddit56Share to Hacker NewsHacker NewsShare
to EmailEmail
*
NEW MOZART MALWARE GETS COMMANDS, HIDES TRAFFIC USING DNS
By
LAWRENCE ABRAMS
* February 24, 2020
* 04:34 PM
* 0
A new backdoor malware called Mozart is using the DNS protocol to communicate
with remote attackers to evade detection by security software and intrusion
detection systems.
Typically when a malware phones home to receive commands that should be
executed, it will do so over the HTTP/S protocols for ease of use and
communication.
Using HTTP/S communication to communicate, though, has its drawbacks as security
software normally monitors this traffic for malicious activity. If detected, the
security software will block the connection and the malware that performed the
HTTP/S request.
AD Quality Auto 360p 720p 1080p Top articles1/5READ MOREChinese Hackers Use
Cisco, Citrix, Zoho Exploits In Targeted Attacks
In the new Mozart backdoor discovered by MalwareHunterTeam, the malware uses DNS
to receive instructions from attackers and to evade detection.
USING DNS TXT RECORDS TO ISSUE COMMANDS
DNS is a name resolution protocol that is used to convert a hostname, such as
www.example.com, to its IP addresses, 93.184.216.34, so that software can
connect to the remote computer.
In addition to converting hostnames to IP address, the DNS protocol also allows
you to query TXT records that contain text data.
This feature is commonly used for domain ownership verification for online
services and email security policies such as Sender Policy Framework or DMARC.
You can also use these for silly little demonstrations like the TXT record for
'hi.bleepingcomputer.com'.
hi.bleepingcomputer.com TXT record
The Mozart attackers are using these DNS TXT records to store commands that are
retrieved by the malware and executed on the infected computer.
MOZART MAKES BAD MUSIC OVER DNS
The Mozart malware is believed to be distributed via phishing emails that
contain PDFs that link to a ZIP file that was located at
https://masikini[.]com/CarlitoRegular[.]zip.
This zip file contains a JScript file that when executed will extract a base64
encoded executable that is saved to the computer as %Temp%\calc.exe and
executed.
Mozart Jscript installer
According to Head of SentinelLabs Vitali Kremez who analyzed this backdoor and
shared his findings with BleepingComputer, the malware will first check for the
file %Temp%\mozart.txt.
If it does not exist, it will create the file with the contents of '12345' and
perform some preparation work on the computer.
This includes copying the calc.exe file from the %Temp% folder to a random named
executable in the %AppData%\Microsoft\Windows\Start Menu\Programs\Startup\
folder to startup every time the victim logs into Windows.
mozart.txt file
According to Kremez, the Mozart malware will communicate with a hardcoded DNS
server under the attacker's control at 93[.]188[.]155[.]2 and issue following
DNS requests to receive instructions or configuration data:
The loader obtains the bot id and returns Base64-encoded parameters for tasks
and further processing:
A. ".getid" (.1)
The bot generation API sequence is as follows:
GetCurrentHwProfileW -> GetUserNameW -> LookupAccountNameW ->
ConvertSidToStringSidW
B. ".gettasks" (.1)
Parse tasks with "," delimiter
C.".gettasksize" (.1)
Allocate memory for the task and dnsquery_call
D. ".gettask" (.1)
Parse for the specific task
E. ".reporttask" (.0|.1)
Run the task via CreateProcessW API
F. ".reportupdates" (.0|.1)
Retrieve and check updates via WriteFile and MoveFilW locally for a stored check
as ".txt"
H. ".getupdates" (.0|.1)
Check for presence of ".txt" update and write the update with "wb" flag and
check for executable extension (".exe") following with ".gettasks" call.
For example, in BleepingComputer's tests, we were assigned the bot of ID '111',
which caused Mozart to do DNS TXT lookups for 111.1.getid, 111.1.getupdates, and
111.1.gettasks.
gettasks DNS request
While monitoring Mozart, we noticed that the malware will continually issue
'gettasks' queries to the attacker's DNS server to find commands to execute.
If the TXT record response is empty, as shown above, that means there are no
commands to execute and the malware will continue to perform this check over and
over until a task is provided.
At this time, it is not known what commands are being executed by Mozart as
tests by myself and Kremez did not result in any responses to the DNS queries.
It could be that we did not test for a long enough period or the attackers are
currently in the process of building their botnet before transmitting commands.
BLOCKING THIS TYPE OF THREAT
It is important to note that malware using DNS to communicate is not unique to
the Mozart backdoor.
In 2017, the Cisco Talos group discovered a malware called DNSMessenger that was
also using TXT records for malicious communication.
To block Mozart, we could tell you to block DNS requests to 93[.]188[.]155[.]2,
but new variants could simply switch to a new DNS server until we get tired of
this cat-and-mouse game.
David Maxwell, Software Security Director at BlueCat, offered this suggestion
instead:
""At your firewall, block outbound port 53 from everywhere except your official
internal DNS server" - this virus goes directly to a fixed external IP, and
while you could just block that, the next virus won't use the same IP. Forcing
all of your corporate name resolution to go through the resolvers you maintain
gives you the ability to monitor traffic and control policy."
It is also important to keep an eye out for novel methods of malicious
communication and if your security software and intrusion systems can monitor
DNS TXT queries, you should enable it.
RELATED ARTICLES:
Malware Disguised as Google Updates Pushed via Hacked News Sites
Fake Corona Antivirus Software Used to Install Backdoor Malware
Attackers Deliver Malware via Fake Website Certificate Errors
Chinese Hackers Use New Malware to Backdoor Microsoft SQL Servers
Winnti Group Uses New PortReuse Malware Against Asian Manufacturer
* Backdoor
* Command and Control
* DNS
* Malware
* Mozart
* Facebook
* Twitter
*
* LinkedIn
* Email
*
LAWRENCE ABRAMS
Lawrence Abrams is the creator and owner of BleepingComputer.com. Lawrence's
area of expertise includes malware removal and computer forensics. Lawrence
Abrams is a co-author of the Winternals Defragmentation, Recovery, and
Administration Field Guide and the technical editor for Rootkits for Dummies.
* Previous Article
* Next Article
POST A COMMENT COMMUNITY RULES
YOU NEED TO LOGIN IN ORDER TO POST A COMMENT
Not a member yet? Register Now
YOU MAY ALSO LIKE:
Popular Stories
* HPE Warns of New Bug That Kills SSD Drives After 40,000 Hours
* Windows 10 Optional Cumulative Update KB4541335 Released
NEWSLETTER SIGN UP
To receive periodic updates and news from BleepingComputer, please use the form
below.
NEWSLETTER SIGN UP
* Follow us:
*
*
*
*
MAIN SECTIONS
* News
* Downloads
* Virus Removal Guides
* Tutorials
* Startup Database
* Uninstall Database
* File Database
* Glossary
COMMUNITY
* Forums
* Forum Rules
* Chat
USEFUL RESOURCES
* Welcome Guide
* Sitemap
COMPANY
* About BleepingComputer
* Contact Us
* Send us a Tip!
* Advertising
* Write for BleepingComputer
* Social & Feeds
* Changelog
Terms of Use - Privacy Policy
Copyright @ 2003 - 2020 Bleeping Computer® LLC - All Rights Reserved
LOGIN
Username
Password
Remember Me
Sign in anonymously
Sign in with Twitter
--------------------------------------------------------------------------------
Not a member yet? Register Now
REPORTER
HELP US UNDERSTAND THE PROBLEM. WHAT IS GOING ON WITH THIS COMMENT?
* Spam
* Abusive or Harmful
* Inappropriate content
* Strong language
* Other
*
Learn more about what is not allowed to be posted.
Submitting...
SUBMIT