Mozart
Mozart is a backdoor Trojan that helps attackers control your computer through executing arbitrary tasks as its remote server dictates. The Trojan includes a semi-innovative C&C contact method that may evade some network-monitoring utilities due to its basis in the Domain Name System. Users can protect themselves with DNS-monitoring security tools or commonplace anti-malware products for flagging and deleting Mozart as a threat.
A Prodigy in Socializing with Servers
The abuse of DNS isn't a new thing to Trojans, with threats like the Kedi RAT, GhostDNS, and the RogueRobin Trojan using it for everything from talking to their servers to hijacking users' web browsers. What makes the new Mozart Trojan different from the older software is how it incorporates command-processing into the Domain Name System, with the apparent intent of dodging network-analyzing tools. It maintains this obfuscation of network contact along with aggressive queries for how to proceed on attacking the infected system, which makes it both semi-invisible and threateningly adaptable.
Mozart, bearing the same name as the famous Austrian composer, is a recent catch dating to late February of 2020. The Windows backdoor Trojan is using what malware experts estimate is e-mail phishing attacks for spreading, with a multi-step process including attached PDF documents, embedded links to corrupted archives, and fake Windows calculator executable. The Trojan adds itself, in that last format, to the Startup folder for persistence.
Unfortunately, the bulk of Mozart's capabilities are unclear, since the Trojan's C&C servers aren't responding to current queries. However, the Trojan has a particularly unorthodox C&C contact method that uses DNS for both server communications and storing task-related data. It requests tasks regularly, meaning that it's either executing an attack or asking for one at all times.
Silencing the Musician That's Playing Your Computer
While its subverting DNS is by no means unique to Mozart out of the whole threat landscape, it is a less archetypal networking strategy than using HTTP. By doing so, Mozart can avoid flagging itself as a threat while contacting its server. The lack of a dynamic IP address for its C&C is a possible vulnerability, and users can block known-unsafe addresses, but criminals can counter such precautions, in turn. DNS-monitoring software may provide help with mitigating damage from this threat, and similar Trojans like APT34's TONEDEAF.
Malware researchers also recommend maintaining traditional, e-mail-oriented security practices, such as:
- Disabling in-document (or spreadsheet) macros
- Updating word-processing software
- Scanning downloads before opening
- Verifying the web addresses of links before clicking them
Reliable anti-malware tools also may block the installer components of Mozart or remove Mozart after it compromises the computer.
Much remains to hear of what the Mozart Trojan plans on composing, but non-consensual network contact isn't agreeable to anyone's ears. Any persons that go to great lengths for hiding what they're doing with someone else's PC is worth silencing by any means necessary.
Leave a Reply
Please note that we are not able to assist with billing and support issues regarding SpyHunter or other products. If you're having issues with SpyHunter, please get in touch with SpyHunter customer support through your SpyHunter . If you have SpyHunter billing questions, we recommend you check the Billing FAQ. For general suggestions or feedback, contact us.