Mozart Malware
News | 02/25/2020

The novel DNS protocol helps Mozart Malware evade detection

About: Mozart malware is using a new DNS Code of Behavior to avoid any possible detection by the security solutions & intrusion systems. Read on to know how to avoid this nasty threat.

| News | The novel DNS protocol helps Mozart Malware evade detection

The nasty Mozart Malware has made a major comeback in the cyber-world. Yes, the devious malware known for infecting the Home Depot Inc, United States & breaching data is now using a novel DNS protocol to communicate with the remote hackers.


This new DNS Protocol is also being used by Mozart Malware to remain under the radar of security solutions, antivirus & other intrusion detection systems.

Read on to know more about this backdoor malware.

The First Attack of Mozart Malware

Mozart malware made its first appearance in September 2014 after it hacked the Home Depot Inc., United States.

According to the sources, this earlier unknown & unseen malware was specifically crafted to attack the Home Depot, the largest home development vendor in the United States. The word “Mozart” was observed in the software’s malicious code & it is suspected to have connections with the hacker’s system, the sources state.

This malign backdoor malware installs as a useful service to endure on the infected system. It would then create a temporary file to store the stolen data after it is located by the RAM Scrapers.

Before storing the data, the malware performs malicious functions to analyze Track 1 & 2 data & then employs Luhn Algorithm prior encoding the card numbers.

The Mozart Malware smartly used files names that appeared legitimate to easily evade detection & gathered credit & debit card details of over 56 Million Accounts.

This nasty malware has also been used to carry out a myriad of high-profile breaches. It is also known for using plethora of ways to accomplish the mission & avoid any possible detection.

The Novel DNS Protocol of Mozart Malware

The nasty backdoor malware, Mozart is currently creating havoc in the cyber world by using a new DNS Protocol. This protocol enables Mozart to contact the remote hackers, receive instructions & smartly escape any possible detection by the cyber-security solutions.

In order to receive instructions those are to be executed on infected machine, it uses HTTP/S protocols for the ease of both use & communication with the hackers.

The Usage of DNS TXT Records by Malware

Apart from converting the host-names to its IP Addresses, DNS modus operandi can also be used to query TXT records that contain text data.

This feature is smartly being used by the hackers behind Mozart Malware. The DNS TXT records are being employed to harvest commands that the malware retrieves & executes on the infected computer.

How Does the Mozart Malware Propagate & Work

According to the cyber-security analysts, the Mozart malware is proliferating via spam e-mails containing malicious PDF documents. These PDF files contain links to a ZIP File located at https://masikini[.]com/CarlitoRegular[.]zip.

This zip is suspected to contain a JScript File that gets saved in the infected system as an executable file – %Temp%\calc.exe. When this file is executed, it extracts a base64 encoded executable, which then searches the system for another file, %Temp%\mozart.txt.

In case, such a file is not found, it creates the file that contains ‘12345’ as the only content. If then performs some tasks on the infected system including copying the calc.exe file from its original folder & moving it to a random named folder. Doing so ensures automatic startup of the file with every system reboot.

Mozart Text File

According to cyber-security analysts, the Mozart malware communicates with the hacker-controlled DNS server & issue various requests to receive instructions or configure data.

It was observed during analysis that Mozart persistently sends ‘gettasks’ queries to the attacker’s server to find the commands/tasks/instructions to perform. However, it is still unknown as to what commands given by the hackers the Mozart performs.

There are positives that the hackers behind Mozart are working on building up their botnet before the commands could be transmitted.

How to Avoid this Nasty Threat

1). Be vigilant while using commonly used internet services & possible novel methods of malicious communication such as online advertisements, discount coupon links or e-mails.

2). Avoid clicking/opening enticing e-mail attachments. Or, do not open the e-mail if something fishy about the subject-line is suspected.

3). Install & enable the security solutions & intrusion systems that are capable of monitoring DNS TXT Requests.

4). We strongly recommend the use of antivirus protection/internet security in your PC like Vipre and BULL GUARD so that it remains safe.

5). Enable the popup blocker/ ad blocker in your chosen browser. This will help you to stay protected from annoying adware, which might invite malware on your system following an accidental click.

Hits: 430

Leave a Reply

Your email address will not be published. Required fields are marked *

Did you find the article informative? Yes NO

Get Regular Updates Related to All the Threats

Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.

Virus Removal Guidelines
Plot No 319, Nandpuri- B Pratap Nagar
Rajasthan 302033
Phone: +91 9799661866