Palo Alto Networks is reporting a shift in malware tactics used by the APT group Wekby that has added a rare but effective new tool to its bag of tricks. The security firm reported on Tuesday that over the past week, Wekby attackers are turning to the technique known as DNS tunneling in lieu of more conventional HTTP delivery of command and controls for remote access control of infected computer networks.
Researchers discovered the change in strategy while monitoring an undisclosed U.S.-based high-tech firm targeted by the gang. Palo Alto Networks call the DNS tunneling malware pisloader, adding it has existed for some time but is seldom used. The use of the DNS-based attacks differs from the Wekby’s go-to malware HTTPBrowser, which is still used widely by the group, according to Ryan Olson, researcher at Palo Alto Networks Unit 42 team.
“We found it really interesting that this pisloader malware technique not only was being used to exfiltration data but also as a command and control mechanism,” Olson told Threatpost. The malware is uncommon because of its limited use case for attacks and that it requires above average technical sophistication by the perpetrator to configure. Domains used in the Wekby attack outlined by Palo Alto Networks include globalprint-us[.]com, ns1.logitech-usa[.]com and intranetwabcam[.]com.
DNS tunneling takes advantage of the TXT transport layer within the DNS protocol used by top and second level domain name system servers. A maximum of 255 bytes of data can be transported via DNS request between endpoint and a DNS server using the TXT layer. For Wekby attackers that have already gained a foothold on targeted systems, the DNS tunneling of commands and DNS tunneling used to remove of data is extremely slow, but well suited for long term APT campaigns.
In the case of pisloader, attackers would use their own DNS server that they controlled to send and receive C2 commands to infected computers. Embedded in the DNS TXT layer of the call and responses between infected client and Wekby’s DNS server would be a mix of five instructions including; collect victim system information, list drives on victim machine, list file information for provided directory, upload a file to the victim machine, and spawn a command shell.
To obfuscate those commands, Wekby attackers use base32 encoding on the DNS TXT layer making it appear that the DNS TXT was simply garbage strings of DNS metadata.
For attackers, DNS tunneling is a double-edged sword, Olson said. “Pisloader is extremely hard to discover if you’re not already looking for it. But with a limit of 255 bytes per message uploading anything could take days to weeks without sounding alarms,” he said. But because pisloader was able to skirt many security products that don’t inspect DNS traffic properly, attackers are willing to sacrifice speed for stealth, Olson said. For those reasons the use of pisloader is extremely rare, even among Wekby gangs. In fact, the use of DNS as a C2 protocol has never been widely adopted by APT gangs. Olson said, there are very few malware families with similar DNS tunneling attributes such a FrameworkPOS, C3PRO-RACCOON and FeederBot.
Palo Alto Networks said it was able to link the pisloader malware to Wekby because it shared many similar characteristics found within the HTTPBrowser RAT family – commonly used by Wekby. Palo Alto Networks said the Wekby APT group remains active, targeting many U.S.-based healthcare, telecommunications, aerospace, defense, and high-tech companies.
“The group is known to leverage recently released exploits very shortly after those exploits are available, such as in the case of HackingTeam’s Flash zero-day exploit,” according to Palo Alto Networks report on the pisloader. Palo Alto Networks has said that Wekby has often leveraged the zero-day Adobe Flash Exploit (CVE-2015-5119) via spear phishing campaigns. That said, Olson told Threatpost researchers couldn’t be sure of the exploit used to gain a foothold in the high-tech firm targeted by Wekby attackers.
