Home Blog Mozart Backdoor Using DNS Mozart Backdoor Using DNS BlueVoyant Share: Facebook Twitter LinkedIn “Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities. A new backdoor malware called Mozart is abandoning HTTP/S protocols and using the DNS protocol to communicate with remote attackers. This technique is designed to evade detection by security software and intrusion detection systems. In addition to converting hostnames to IP addresses, the DNS protocol also allows users to query TXT records that contain text data. Although this feature is commonly used for domain ownership verification for online services and email security policies, the TXT block can store any text data and in this case is used to store commands that are retrieved by the malware and executed on the infected computer. This technique provides the attacker with a couple of tactical advantages. First off, DNS activity is very noisy and allows an attack like this to get past many traditional out-of-the-box detection tools and security sensors. In addition, the use of a callback function allows the attacker to rapidly change the target URL or IP for their campaign as security teams aim to block connection attempts to those URLs/domains. At this time, it is not known what commands are being executed by Mozart. Share: Facebook Twitter LinkedIn Related reading Malware AnchorDNS Comes Ashore: Evolutions in the TTPs of TrickBot November 12, 2021 Using our knowledge of AnchorDNS-now-Stickseed, BlueVoyant Third-Party Risk and Managed Security Services were able to identify a Stickseed attack in the… Read more Identifying Threats Pivoting on Compliance Efforts Under CMMC 2.0 November 9, 2021 The U.S. government released CMMC 2.0 on November 4, or less than one week ago. This brief summarizes what we currently know, key points that still need to… Read more Why Bluevoyant BlueVoyant Research: Majority of Firms Have Suffered a Direct Cybersecurity Breach Caused by a Third-Party Vendor October 14, 2021 BlueVoyant commissioned its second annual insightful survey: “Global Insights – Managing Cyber Risk Across the Extended Vendor Ecosystem.” Read more
BlueVoyant Share: Facebook Twitter LinkedIn “Life in the SOC” is a Blog Series that shares experiences of the BlueVoyant SOC defending against the current and prevalent attacks encountered by our clients. The blogs discuss successful detection, response and mitigation actions that can improve your defensive capabilities. A new backdoor malware called Mozart is abandoning HTTP/S protocols and using the DNS protocol to communicate with remote attackers. This technique is designed to evade detection by security software and intrusion detection systems. In addition to converting hostnames to IP addresses, the DNS protocol also allows users to query TXT records that contain text data. Although this feature is commonly used for domain ownership verification for online services and email security policies, the TXT block can store any text data and in this case is used to store commands that are retrieved by the malware and executed on the infected computer. This technique provides the attacker with a couple of tactical advantages. First off, DNS activity is very noisy and allows an attack like this to get past many traditional out-of-the-box detection tools and security sensors. In addition, the use of a callback function allows the attacker to rapidly change the target URL or IP for their campaign as security teams aim to block connection attempts to those URLs/domains. At this time, it is not known what commands are being executed by Mozart. Share: Facebook Twitter LinkedIn Related reading Malware AnchorDNS Comes Ashore: Evolutions in the TTPs of TrickBot November 12, 2021 Using our knowledge of AnchorDNS-now-Stickseed, BlueVoyant Third-Party Risk and Managed Security Services were able to identify a Stickseed attack in the… Read more Identifying Threats Pivoting on Compliance Efforts Under CMMC 2.0 November 9, 2021 The U.S. government released CMMC 2.0 on November 4, or less than one week ago. This brief summarizes what we currently know, key points that still need to… Read more Why Bluevoyant BlueVoyant Research: Majority of Firms Have Suffered a Direct Cybersecurity Breach Caused by a Third-Party Vendor October 14, 2021 BlueVoyant commissioned its second annual insightful survey: “Global Insights – Managing Cyber Risk Across the Extended Vendor Ecosystem.” Read more
Malware AnchorDNS Comes Ashore: Evolutions in the TTPs of TrickBot November 12, 2021 Using our knowledge of AnchorDNS-now-Stickseed, BlueVoyant Third-Party Risk and Managed Security Services were able to identify a Stickseed attack in the… Read more
Identifying Threats Pivoting on Compliance Efforts Under CMMC 2.0 November 9, 2021 The U.S. government released CMMC 2.0 on November 4, or less than one week ago. This brief summarizes what we currently know, key points that still need to… Read more
Why Bluevoyant BlueVoyant Research: Majority of Firms Have Suffered a Direct Cybersecurity Breach Caused by a Third-Party Vendor October 14, 2021 BlueVoyant commissioned its second annual insightful survey: “Global Insights – Managing Cyber Risk Across the Extended Vendor Ecosystem.” Read more
