Palo Alto Networks researchers noticed that a China-linked advanced persistent threat (APT) actor has been using a piece of malware that leverages DNS requests for command and control (C&C) communications.
The group, known as Wekby, APT 18, Dynamite Panda and TG-0416, is believed to be responsible for the 2014 attack on Community Health Systems, one of the largest hospital operators in the United States. In that operation, the attackers reportedly stole 4.5 million patient records by exploiting the OpenSSL vulnerability dubbed Heartbleed.
The group is known to quickly add new exploits to its arsenal. One example is a Flash Player exploit that the actor started using shortly after it was leaked last year from Italian spyware maker Hacking Team.
In a more recent attack aimed at a US-based organization, Wekby leveraged a piece of malware dubbed by Palo Alto Networks “pisloader.” Based on metadata and the commands it uses, researchers believe pisloader is a variant of HTTPBrowser, a remote access Trojan (RAT) known to be used by Wekby and other APT actors.
The attackers delivered the malware using an infrastructure that includes domains made to look like they belong to major organizations such as Logitech and Global Print.
The hackers first deliver a dropper designed to add registry keys for persistence, and decrypt and execute a file that contains the pisloader payload. The payload is obfuscated using a ROP technique and contains random assembly instructions to make reverse engineering more difficult.
Pisloader uses DNS requests for C&C communications, which allows it to bypass certain security products that don’t properly inspect this type of traffic.
An increasing number of threats have been leveraging the technique, including point-of-sale (PoS) malware such as FrameworkPOS and Multigrain.
In the case of pisloader, the malware periodically sends a DNS beacon request to its C&C server, whose location is hardcoded into the malware. The DNS responses must meet certain requirements, otherwise the malware will ignore them.
The server responds with a TXT record that can contain various commands for the malware, including to collect system information, list file information for a specified directory, upload a file to the infected machine, and launch a command shell.
The commands are similar to the ones used by HTTPBrowser, which, researchers said last year, was also using DNS as a covert communications channel.
Related: Microsoft Office Flaw Exploited by Several APT Actors
Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.
More from Eduard Kovacs
- Apple Denies Helping US Government Hack Russian iPhones
- Zero-Day in MOVEit File Transfer Software Exploited to Steal Data From Organizations
- Russia Blames US Intelligence for iOS Zero-Click Attacks
- Cisco Acquiring Armorblox for Predictive and Generative AI Technology
- Moxa Patches MXsecurity Vulnerabilities That Could Be Exploited in OT Attacks
- Organizations Warned of Salesforce ‘Ghost Sites’ Exposing Sensitive Information
- Organizations Warned of Backdoor Feature in Hundreds of Gigabyte Motherboards
- Barracuda Zero-Day Exploited to Deliver Malware for Months Before Discovery
Latest News
- OpenAI Unveils Million-Dollar Cybersecurity Grant Program
- Galvanick Banks $10 Million for Industrial XDR Technology
- Information of 2.5M People Stolen in Ransomware Attack at Massachusetts Health Insurer
- US, South Korea Detail North Korea’s Social Engineering Techniques
- High-Severity Vulnerabilities Patched in Splunk Enterprise
- Idaho Hospitals Working to Resume Full Operations After Cyberattack
- Enzo Biochem Ransomware Attack Exposes Information of 2.5M Individuals
- Apple Denies Helping US Government Hack Russian iPhones
