Mozart Backdoor

Mozart is a backdoor that targets Microsoft Windows and uses the DNS protocol for command and control (C2) communication.

Threat ID:: CC-3382
Category:: Backdoor
Threat Severity:: Medium
Threat Vector:: Email
Published:: 27 February 2020 12:00 AM

Report a cyber attack: call 0300 303 5222 or email [email protected]

Summary

Mozart is a backdoor that targets Microsoft Windows and uses the DNS protocol for command and control (C2) communication.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Microsoft Windows - All versions

Threat details

At the time of publication, it is believed that Mozart is distributed through malicious emails. The emails include PDF attachments that link to a remote ZIP archive. The archive includes an installer written in JScript that extracts and runs a Base64-encoded executable. The executable copies itself to a startup folder so that it is run every time the device is used.

The attackers operating Mozart attempt to evade detection by using the DNS protocol to issue commands. Infected devices request DNS TXT records from a C2 server controlled by the attackers, and receive instructions or configuration data in the responses. At the time of publication it is not known what commands are run on infected devices.

Remediation steps

Type	Step
	Infections by Mozart or similar malware can be detected by monitoring and blocking DNS requests (outbound port 53) to any server that is not authorised. To prevent an infection, NHS Digital advises that: Secure configurations are applied to all devices. Security updates are applied at the earliest opportunity. Tamper protection settings in security products are enabled where available. Obsolete platforms are segregated from the rest of the network. IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments. Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts. Administrative accounts are only used for necessary purposes. Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations. Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Type

Step

Infections by Mozart or similar malware can be detected by monitoring and blocking DNS requests (outbound port 53) to any server that is not authorised.

To prevent an infection, NHS Digital advises that:

Secure configurations are applied to all devices.
Security updates are applied at the earliest opportunity.
Tamper protection settings in security products are enabled where available.
Obsolete platforms are segregated from the rest of the network.
IT usage policies are reinforced by regular training to ensure all users know not to open unsolicited links or attachments.
Multi-factor authentication (MFA) and lockout policies are used where practicable, especially for administrative accounts.
Administrative accounts are only used for necessary purposes.
Remote administration services use strongly encrypted protocols and only accept connections from authorised users or locations.

Please note that NCSC maintains guidance for securely configuring a wide range of end user device (EUD) platforms. For further details refer to their end user device security guidance pages.

Indicators of compromise

Main indicators

IP Addresses

93.188.155[.]2

URLs

masikini[.]com/CarlitoRegular.zip

DNS request suffixes

.getid
.gettasks
.gettasksize
.gettask
.reporttask
.reportupdates
.getupdates

Filenames

CarlitoRegular.js
%Temp%\mozart.txt
%Temp%\calc.exe
%AppData%\Microsoft\Windows\Start Menu\Programs\Startup[random filename].exe

Last edited: 29 June 2021 12:00 pm