Mozart Backdoor Using DNS

“Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities.

A new backdoor malware called Mozart is abandoning HTTP/S protocols and using the DNS protocol to communicate with remote attackers. This technique is designed to evade detection by security software and intrusion detection systems.

In addition to converting hostnames to IP addresses, the DNS protocol also allows users to query TXT records that contain text data. Although this feature is commonly used for domain ownership verification for online services and email security policies, the TXT block can store any text data and in this case is used to store commands that are retrieved by the malware and executed on the infected computer.

This technique provides the attacker with a couple of tactical advantages. First off, DNS activity is very noisy and allows an attack like this to get past many traditional out-of-the-box detection tools and security sensors. In addition, the use of a callback function allows the attacker to rapidly change the target URL or IP for their campaign as security teams aim to block connection attempts to those URLs/domains. At this time, it is not known what commands are being executed by Mozart.