The xHunt campaign targeted against Kuwait-based organizations and individuals continues to surprise malware researchers by revealing additional malware families that the perpetrators relied on. Just recently, malware experts came across an unidentified backdoor Troja that appeared to reside on many of the computers that were infected by the xHunt malware previously. The backdoor, dubbed CASHY200, is PowerShell-based, and it relies heavily on DNS tunneling to contact the Command-and-Control server.

The CASHY200 Backdoor is Used in the xHunt Malware Campaign

The operators of the CASHY200 backdoor had set up peculiar domain names in an effort to make the traffic less suspicious. They used common names, which users might mistake for legitimate domains easily – windows64x.com, windows-updates.com and firewallsupports.com. Researchers suspect that the delivery of the CASHY200 backdoor was executed with the help of macro-laced Microsoft Word document that the victims received via phishing emails or other social engineering strategies.

Because of the limitations that the DNS tunneling communication method imposes, the CASHY200 backdoor is rather limited when it comes to features. However, it provides the attacker with the ability to execute remote commands, as well as to receive information about the compromised system's software, hardware, and configuration.

While the CASHY200's use is limited to the xHunt campaign, there are similar malware families that use an identical method to infiltrate computers, and communicate with a control server. Thankfully, relying on a reputable anti-malware product is enough to mitigate their attacks, and keep you safe while navigating the Web.