Wekby cyber-criminals use DNS tunnelling for command and control of malware

"Pisloader" DNS tunnelling malware signals shift in tactic by hacking group

Wekby cyber-criminals use DNS tunnelling for command and control of malware
Wekby cyber-criminals use DNS tunnelling for command and control of malware

Security researchers have observed an attack led by the APT group Wekby targeting a US-based organisation in recent weeks using DNS requests as a command and control mechanism.

According to researchers at Palo Alto Networks the cyber-criminals have been active for many years and are now targeting various industries such as healthcare, telecommunications, aerospace, defence, and high tech. The criminals are using the new technique instead of the more traditional HTTP method of command and control to infect networks with malware.

The researchers called the malware using DNS tunnelling “Pisloader” and said this has existed for some time but has not been used that often.

According to the team, the malware was delivered via HTTP to a website to download the malware which is an instance of the Poison Ivy malware family.

DNS tunnelling is used and leverages the TXT transport layer with the DNS protocol.  C&C instructions are put here to circumvent security products that rarely, if ever, interrogate such traffic for suspicious activity.

A maximum of 255 bytes of data can be transferred using this protocol so the process can be slow but for a long-term campaign, this suits hackers just fine.

“The malware is actually quite simplistic once the obfuscation and garbage code is ignored. It will begin by generating a random 10-byte alpha-numeric header. The remaining data is base32-encoded, with padding removed. This data will be used to populate a sub-domain that will be used in a subsequent DNS request for a TXT record,” the researchers said in a blog post.

“The malware expects various aspects of the DNS responses to be set in a specific way, or else pisloader will ignore the DNS reply.”

The researchers said the commands used by the malware were consistent with previous versions of HTTPBrowser, which is another malware family frequently used by the Wekby group.

“Additionally, a number of commands themselves, such as the ‘list', ‘drive', and ‘upload' commands are consistent with HTTPBrowser. The formatted responses from these commands are also identical,” said the researchers.

Marta Janus, security researcher at Kaspersky Lab, told SCMagazineUK.com that DNS requests are used to avoid network based detection. “This method is not new but still quite rare and can be used to bypass security products and network detection tools that don't inspect DNS traffic,” she said.

“The cyber-criminals set up their own malicious DNS server rather than abusing an existing legitimate one, therefore there is little organisations can do to prevent it.”

She added that there can't be much done to prevent cyber-criminals from using it, “but detecting it is possible by monitoring the DNS-based traffic and looking for anomalies.”

Rich Barger, chief intelligence officer at ThreatConnect, told SCMagazineUK.com that using DNS for command and control gives the attackers the ability to hide within the noise of a high volume, business critical protocol that is often overlooked by security operations.

“DNS services are essential to modern enterprises, so depending on how the targeted enterprise has configured their DNS, an attacker might enjoy additional survivability, versus using protocols such as HTTP which is often funnelled into chokepoints, and inspected much closer,” he said.

He concludes: “Just like we cannot expect to prevent all terrorist attacks across the globe, we cannot expect attacks like this won't be directed against our enterprises. We should be preparing and (equipping) our enterprises so that we are proactively looking for abuses of such protocols and abnormal traffic.”