Connect with us

Hi, what are you looking for?


Malware & Threats

“Wekby” Group Uses DNS Requests for C&C Communications

Palo Alto Networks researchers noticed that a China-linked advanced persistent threat (APT) actor has been using a piece of malware that leverages DNS requests for command and control (C&C) communications.

Palo Alto Networks researchers noticed that a China-linked advanced persistent threat (APT) actor has been using a piece of malware that leverages DNS requests for command and control (C&C) communications.

The group, known as Wekby, APT 18, Dynamite Panda and TG-0416, is believed to be responsible for the 2014 attack on Community Health Systems, one of the largest hospital operators in the United States. In that operation, the attackers reportedly stole 4.5 million patient records by exploiting the OpenSSL vulnerability dubbed Heartbleed.

The group is known to quickly add new exploits to its arsenal. One example is a Flash Player exploit that the actor started using shortly after it was leaked last year from Italian spyware maker Hacking Team.

In a more recent attack aimed at a US-based organization, Wekby leveraged a piece of malware dubbed by Palo Alto Networks “pisloader.” Based on metadata and the commands it uses, researchers believe pisloader is a variant of HTTPBrowser, a remote access Trojan (RAT) known to be used by Wekby and other APT actors.

The attackers delivered the malware using an infrastructure that includes domains made to look like they belong to major organizations such as Logitech and Global Print.

The hackers first deliver a dropper designed to add registry keys for persistence, and decrypt and execute a file that contains the pisloader payload. The payload is obfuscated using a ROP technique and contains random assembly instructions to make reverse engineering more difficult.

Pisloader uses DNS requests for C&C communications, which allows it to bypass certain security products that don’t properly inspect this type of traffic.

Advertisement. Scroll to continue reading.

An increasing number of threats have been leveraging the technique, including point-of-sale (PoS) malware such as FrameworkPOS and Multigrain.

In the case of pisloader, the malware periodically sends a DNS beacon request to its C&C server, whose location is hardcoded into the malware. The DNS responses must meet certain requirements, otherwise the malware will ignore them.

The server responds with a TXT record that can contain various commands for the malware, including to collect system information, list file information for a specified directory, upload a file to the infected machine, and launch a command shell.

The commands are similar to the ones used by HTTPBrowser, which, researchers said last year, was also using DNS as a covert communications channel.

Related: Microsoft Office Flaw Exploited by Several APT Actors

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Daily Briefing Newsletter

Subscribe to the SecurityWeek Email Briefing to stay informed on the latest threats, trends, and technology, along with insightful columns from industry experts.

SecurityWeek’s Threat Detection and Incident Response Summit brings together security practitioners from around the world to share war stories on breaches, APT attacks and threat intelligence.


Securityweek’s CISO Forum will address issues and challenges that are top of mind for today’s security leaders and what the future looks like as chief defenders of the enterprise.


Expert Insights

Related Content


The changing nature of what we still generally call ransomware will continue through 2023, driven by three primary conditions.


A recently disclosed vBulletin vulnerability, which had a zero-day status for roughly two days last week, was exploited in a hacker attack targeting the...


No one combatting cybercrime knows everything, but everyone in the battle has some intelligence to contribute to the larger knowledge base.

Malware & Threats

Threat actors are increasingly abusing Microsoft OneNote documents to deliver malware in both targeted and spray-and-pray campaigns.

Malware & Threats

Unpatched and unprotected VMware ESXi servers worldwide have been targeted in a ransomware attack exploiting a vulnerability patched in 2021.

Malware & Threats

A vulnerability affecting IBM’s Aspera Faspex file transfer solution, tracked as CVE-2022-47986, has been exploited in attacks.


The recent ransomware attack targeting Rackspace was conducted by a cybercrime group named Play using a new exploitation method, the cloud company revealed this...

Application Security

Virtualization technology giant VMware on Tuesday shipped urgent updates to fix a trio of security problems in multiple software products, including a virtual machine...