Malware, Network Security

Wekby hacker gang using DNS requests in new malware campaign

A long-time hacker group is using DNS requests as a command-and-control mechanism in a new series of malware attacks, according to researchers at Palo Alto Networks.

The APT group Wekby, which have attacked numerous U.S. targets, usually pounce as soon as exploits are revealed. Palo Alto has dubbed the new malware family "pisloader," and said it is similar to the HTTPBrowser malware family. Additionally, it uses a number of obfuscation strategies to avoid the probing eyes of researchers.

It was delivered via HTTP from a still-active URL and the initial dropper contained simple code "that is responsible for setting persistence via the Run registry key, and dropping and executing an embedded Windows executable," according to Palo Alto. This delivers the payload.

Another distinguishing characteristic of the pisloader malware family, Palo Alto said, is its use of return-oriented programming and other anti-analysis tactics.

The Wekby group is still active, the researchers said.

Related

Rootkit capabilities likely with Windows bugs

Several rootkit-like capabilities could be obtained by threat actors through the exploitation of vulnerabilities in Windows' DOS-to-NT path conversion process, including file and process concealment and compromised prefetch file analysis, reports The Hacker News.

Abusing GitHub flaw could compromise GitLab

Open-source DevOps software project GitLab has also been impacted by the same security issue in GitHub comments that has been exploited by threat actors through Microsoft repository-linked URLs to facilitate the distribution of malware that was made to seem to originate from credible entities' official source code repositories, according to BleepingComputer.

Related Events

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.