Security Experts:

"Wekby" Group Uses DNS Requests for C&C Communications

Palo Alto Networks researchers noticed that a China-linked advanced persistent threat (APT) actor has been using a piece of malware that leverages DNS requests for command and control (C&C) communications.

The group, known as Wekby, APT 18, Dynamite Panda and TG-0416, is believed to be responsible for the 2014 attack on Community Health Systems, one of the largest hospital operators in the United States. In that operation, the attackers reportedly stole 4.5 million patient records by exploiting the OpenSSL vulnerability dubbed Heartbleed.

The group is known to quickly add new exploits to its arsenal. One example is a Flash Player exploit that the actor started using shortly after it was leaked last year from Italian spyware maker Hacking Team.

In a more recent attack aimed at a US-based organization, Wekby leveraged a piece of malware dubbed by Palo Alto Networks “pisloader.” Based on metadata and the commands it uses, researchers believe pisloader is a variant of HTTPBrowser, a remote access Trojan (RAT) known to be used by Wekby and other APT actors.

The attackers delivered the malware using an infrastructure that includes domains made to look like they belong to major organizations such as Logitech and Global Print.

The hackers first deliver a dropper designed to add registry keys for persistence, and decrypt and execute a file that contains the pisloader payload. The payload is obfuscated using a ROP technique and contains random assembly instructions to make reverse engineering more difficult.

Pisloader uses DNS requests for C&C communications, which allows it to bypass certain security products that don’t properly inspect this type of traffic.

An increasing number of threats have been leveraging the technique, including point-of-sale (PoS) malware such as FrameworkPOS and Multigrain.

In the case of pisloader, the malware periodically sends a DNS beacon request to its C&C server, whose location is hardcoded into the malware. The DNS responses must meet certain requirements, otherwise the malware will ignore them.

The server responds with a TXT record that can contain various commands for the malware, including to collect system information, list file information for a specified directory, upload a file to the infected machine, and launch a command shell.

The commands are similar to the ones used by HTTPBrowser, which, researchers said last year, was also using DNS as a covert communications channel.

Related: Microsoft Office Flaw Exploited by Several APT Actors

view counter
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.