The nasty Mozart Malware has made a major comeback in the cyber-world. Yes, the devious malware known for infecting the Home Depot Inc, United States & breaching data is now using a novel DNS protocol to communicate with the remote hackers.
This new DNS Protocol is also being used by Mozart Malware to remain under the radar of security solutions, antivirus & other intrusion detection systems.
Read on to know more about this backdoor malware.
Mozart malware made its first appearance in September 2014 after it hacked the Home Depot Inc., United States.
According to the sources, this earlier unknown & unseen malware was specifically crafted to attack the Home Depot, the largest home development vendor in the United States. The word “Mozart” was observed in the software’s malicious code & it is suspected to have connections with the hacker’s system, the sources state.
This malign backdoor malware installs as a useful service to endure on the infected system. It would then create a temporary file to store the stolen data after it is located by the RAM Scrapers.
Before storing the data, the malware performs malicious functions to analyze Track 1 & 2 data & then employs Luhn Algorithm prior encoding the card numbers.
The Mozart Malware smartly used files names that appeared legitimate to easily evade detection & gathered credit & debit card details of over 56 Million Accounts.
This nasty malware has also been used to carry out a myriad of high-profile breaches. It is also known for using plethora of ways to accomplish the mission & avoid any possible detection.
The nasty backdoor malware, Mozart is currently creating havoc in the cyber world by using a new DNS Protocol. This protocol enables Mozart to contact the remote hackers, receive instructions & smartly escape any possible detection by the cyber-security solutions.
In order to receive instructions those are to be executed on infected machine, it uses HTTP/S protocols for the ease of both use & communication with the hackers.
Apart from converting the host-names to its IP Addresses, DNS modus operandi can also be used to query TXT records that contain text data.
This feature is smartly being used by the hackers behind Mozart Malware. The DNS TXT records are being employed to harvest commands that the malware retrieves & executes on the infected computer.
According to the cyber-security analysts, the Mozart malware is proliferating via spam e-mails containing malicious PDF documents. These PDF files contain links to a ZIP File located at https://masikini[.]com/CarlitoRegular[.]zip.
This zip is suspected to contain a JScript File that gets saved in the infected system as an executable file – %Temp%\calc.exe. When this file is executed, it extracts a base64 encoded executable, which then searches the system for another file, %Temp%\mozart.txt.
In case, such a file is not found, it creates the file that contains ‘12345’ as the only content. If then performs some tasks on the infected system including copying the calc.exe file from its original folder & moving it to a random named folder. Doing so ensures automatic startup of the file with every system reboot.
According to cyber-security analysts, the Mozart malware communicates with the hacker-controlled DNS server & issue various requests to receive instructions or configure data.
It was observed during analysis that Mozart persistently sends ‘gettasks’ queries to the attacker’s server to find the commands/tasks/instructions to perform. However, it is still unknown as to what commands given by the hackers the Mozart performs.
There are positives that the hackers behind Mozart are working on building up their botnet before the commands could be transmitted.
1). Be vigilant while using commonly used internet services & possible novel methods of malicious communication such as online advertisements, discount coupon links or e-mails.
2). Avoid clicking/opening enticing e-mail attachments. Or, do not open the e-mail if something fishy about the subject-line is suspected.
3). Install & enable the security solutions & intrusion systems that are capable of monitoring DNS TXT Requests.
5). Enable the popup blocker/ ad blocker in your chosen browser. This will help you to stay protected from annoying adware, which might invite malware on your system following an accidental click.
Subscribe to our newsletter today to receive updates on the Latest News and Threats.
The researchers at Virus Removal Guidelines are dedicated to track down the latest vulnerabilities which may infringe your system security. Our team of expert performs a detailed research about every malware infection before educating our users about the same.
Want to stay informed about the latest threats & malware? Sign up for our newsletter & learn how to get rid of all types of threats from your computer.