Home Blog Mozart Backdoor Using DNS Mozart Backdoor Using DNS BlueVoyant Share: Facebook Twitter LinkedIn “Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities. A new backdoor malware called Mozart is abandoning HTTP/S protocols and using the DNS protocol to communicate with remote attackers. This technique is designed to evade detection by security software and intrusion detection systems. In addition to converting hostnames to IP addresses, the DNS protocol also allows users to query TXT records that contain text data. Although this feature is commonly used for domain ownership verification for online services and email security policies, the TXT block can store any text data and in this case is used to store commands that are retrieved by the malware and executed on the infected computer. This technique provides the attacker with a couple of tactical advantages. First off, DNS activity is very noisy and allows an attack like this to get past many traditional out-of-the-box detection tools and security sensors. In addition, the use of a callback function allows the attacker to rapidly change the target URL or IP for their campaign as security teams aim to block connection attempts to those URLs/domains. At this time, it is not known what commands are being executed by Mozart. Share: Facebook Twitter LinkedIn Related reading Ransomware Why Are the Consequences of Ransomware Attacks Rarely Fully Understood? May 24, 2022 According to BlueVoyant’s ransomware research, unsuspecting victims suffer the consequences, such as layoffs, medical treatment delays, travel… Read more Ransomware From Ransomware to the U.K.’s Cybersecurity Strategy May 20, 2022 In the past couple of years, ransomware attacks have doubled and – in some instances – quadrupled in frequency, as noted in BlueVoyant’s Ransomware… Read more Microsoft Security BlueVoyant Awarded L4 Cloud Security Rockstar Team from Microsoft Private Security Community May 17, 2022 This week, Caleb Freitas and Mona Ghadiri received the L4 Cloud Security Rockstar Team award on behalf of BlueVoyant. Read more
BlueVoyant Share: Facebook Twitter LinkedIn “Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities. A new backdoor malware called Mozart is abandoning HTTP/S protocols and using the DNS protocol to communicate with remote attackers. This technique is designed to evade detection by security software and intrusion detection systems. In addition to converting hostnames to IP addresses, the DNS protocol also allows users to query TXT records that contain text data. Although this feature is commonly used for domain ownership verification for online services and email security policies, the TXT block can store any text data and in this case is used to store commands that are retrieved by the malware and executed on the infected computer. This technique provides the attacker with a couple of tactical advantages. First off, DNS activity is very noisy and allows an attack like this to get past many traditional out-of-the-box detection tools and security sensors. In addition, the use of a callback function allows the attacker to rapidly change the target URL or IP for their campaign as security teams aim to block connection attempts to those URLs/domains. At this time, it is not known what commands are being executed by Mozart. Share: Facebook Twitter LinkedIn Related reading Ransomware Why Are the Consequences of Ransomware Attacks Rarely Fully Understood? May 24, 2022 According to BlueVoyant’s ransomware research, unsuspecting victims suffer the consequences, such as layoffs, medical treatment delays, travel… Read more Ransomware From Ransomware to the U.K.’s Cybersecurity Strategy May 20, 2022 In the past couple of years, ransomware attacks have doubled and – in some instances – quadrupled in frequency, as noted in BlueVoyant’s Ransomware… Read more Microsoft Security BlueVoyant Awarded L4 Cloud Security Rockstar Team from Microsoft Private Security Community May 17, 2022 This week, Caleb Freitas and Mona Ghadiri received the L4 Cloud Security Rockstar Team award on behalf of BlueVoyant. Read more
Ransomware Why Are the Consequences of Ransomware Attacks Rarely Fully Understood? May 24, 2022 According to BlueVoyant’s ransomware research, unsuspecting victims suffer the consequences, such as layoffs, medical treatment delays, travel… Read more
Ransomware From Ransomware to the U.K.’s Cybersecurity Strategy May 20, 2022 In the past couple of years, ransomware attacks have doubled and – in some instances – quadrupled in frequency, as noted in BlueVoyant’s Ransomware… Read more
Microsoft Security BlueVoyant Awarded L4 Cloud Security Rockstar Team from Microsoft Private Security Community May 17, 2022 This week, Caleb Freitas and Mona Ghadiri received the L4 Cloud Security Rockstar Team award on behalf of BlueVoyant. Read more