Palo Alto Networks is reporting a shift in malware tactics used by the APT group Wekby that has added a rare but effective new tool to its bag of tricks. The security firm reported on Tuesday that over the past week, Wekby attackers are turning to the technique known as DNS tunneling in lieu of more conventional HTTP delivery of command and controls for remote access control of infected computer networks.
Researchers discovered the change in strategy while monitoring an undisclosed U.S.-based high-tech firm targeted by the gang. Palo Alto Networks call the DNS tunneling malware pisloader, adding it has existed for some time but is seldom used. The use of the DNS-based attacks differs from the Wekby’s go-to malware HTTPBrowser, which is still used widely by the group, according to Ryan Olson, researcher at Palo Alto Networks Unit 42 team.