An advanced persistent threat (APT) attacker has been using a piece of malware that leverages DNS requests for command and control (C&C) communications, researchers said.
The group, known as Wekby, APT 18, Dynamite Panda and TG-0416, appears to be responsible for the 2014 attack on Community Health Systems, one of the largest hospital operators in the United States, said researchers at Palo Alto Networks. In that operation, the attackers stole 4.5 million patient records by exploiting the OpenSSL vulnerability, Heartbleed.
The group can quickly add new exploits to its arsenal. One example is a Flash Player exploit the attacker started using shortly after it leaked last year from Italian spyware maker Hacking Team.
In a more recent attack aimed at a U.S. company, Wekby used malware, which could be a variant of HTTPBrowser, a remote access Trojan (RAT) used by Wekby and other APT attackers.
The attackers delivered the malware using an infrastructure that includes domains made to look like they belong to major organizations such as Logitech and Global Print.
The hackers first deliver a dropper designed to add registry keys for persistence, and decrypt and execute a file that contains the payload. The payload end up obfuscated using a ROP technique and contains random assembly instructions to make reverse engineering more difficult.
The malware uses DNS requests for C&C communications, which allows it to bypass certain security products that don’t properly inspect this type of traffic.
An increasing number of threats have been leveraging the technique, including point-of-sale (PoS) malware such as FrameworkPOS and Multigrain.
In this case, the malware periodically sends a DNS beacon request to its C&C server, whose location is in the malware. The DNS responses must meet certain requirements, otherwise the malware will ignore them.
The server responds with a TXT record that can contain various commands for the malware, including to collect system information, list file information for a specified directory, upload a file to the infected machine, and launch a command shell.
The commands are similar to the ones used by HTTPBrowser, which, researchers said last year, was also using DNS as a covert communications channel.