Mozart Malware Hides Traffic - Binary Defense

Threat Watch

Share on facebook
Share on twitter
Share on linkedin

Mozart Malware Hides Traffic

Discovered by MalwareHunterTeam, a new backdoor malware, called Mozart, has been found using DNS protocol to communicate with remote attackers to evade detection by security software. Normally when a malware communicates for commands, it does over HTTP/S protocols for ease of communication. Most security software monitors HTTP/S traffic and will block traffic that it determines to be malicious. Mozart uses DNS protocols which convert the hostname, such as www.example.com, to its IP address, 93.184.216.34, so that it can connect to the remote attacker.

ANALYST NOTES

It is important to remember that malware using DNS protocols to communicate is not unique to Mozart malware. To block Mozart, users could block the IP address that it communicates with, but that would create a cat and mouse game of chasing changing DNS servers. Instead, it is more effective to watch for methods of malicious communications and if the security software can monitor DNS queries, enable it so that it can block suspicious traffic. To read more: https://www.bleepingcomputer.com/news/security/new-mozart-malware-gets-commands-hides-traffic-using-dns/

Contact Support

Please complete the form below and a member of our support team will respond as quickly as possible.