On May 24 2016, Palo Alto Networks reported a recent campaign by the Chinese APT group, Wekby,
using new malware and Tactics, Techniques, and Procedures (TTPs). Wekby has been active for several years targeting entities in various industries. This campaign used a new malware variant that has been designated as “Pisloader” and uses DNS requests as its Command and Control (C2) mechanism, an uncommon TTP that allows it to avoid detection by products that inspect network traffic. The co-founder of CounterHack Ed Skoudis during the 2012 RSA conference identified DNS based C2 of malware as being one of the six most dangerous attacks.
This report includes details on the Pisloader malware and related infrastructure. Indicators are available through the links highlighted above. Mitigations are available in Red Sky Alliance.
(Sorry folks. This may be a bit dated but I'm playing catch-up on some blogging.. --Jeff)
Publication Date: 22 June 2016; information cutoff date: 15 June 2016
Handling requirements: Traffic light protocol (TLP) AMBER. Recipients may only share TLP: AMBER information with members of their own organization on a “need-to-know” basis and only as widely as necessary to act on that information.
Attribution/Threat Actors: Wekby
Actor type: Adversary capabilities have been assessed asTier IV– Criminal or state actors who are organized, highly technical, proficient, well-funded professionals working in teams to discover new vulnerabilities and develop exploits.