Wekby APT group leverages DNS requests for C2 communications

Pierluigi Paganini May 28, 2016

PaloAlto Networks has spotted a new campaign conducted by the Wekby APT that leverages on a malware that uses DNS requests for C2 communications.

Security experts at Palo Alto Networks have spotted a China-linked APT group that has been using a strain of malware that leverages DNS requests for command and control (C&C) communications.

The group is known as WekbyDynamite Panda, TG-0416 and APT 18, security experts linked it to the security breach suffered by the Community Health Systems in 2014.

The attackers exploited the Heartbleed vulnerability affecting the OpenSSL to steal 4.5 million patient records.

In July 2015, the Wekby APT group was spotted exploiting the CVE-2015-5119 Flash Player vulnerability in their exploit kits, the exploit code was disclosed as the result of the attack against the Hacking Team.

In the last wave of attacks discovered by the experts at PaloAlto, the Wekby APT group targeted US-based organization using a strain of malware dubbed ‘pisloader.’

The pisloader malware is a variant of the HTTPBrowser RAT that was delivered via HTTP from the following URL:


The threat actors deliver a malware dropper that adds registry keys for persistence and decrypts and executes the pisloader payload which is obfuscated using a return-oriented programming (ROP) technique.

“This particular command will set the HKCU\Software\Microsoft\Windows\CurrentVersion\Run\lsm registry key with a value of “%appdata%\lsm.exe”. After this key is set, the malware proceeds to decrypt a two blobs of data with a single-byte XOR key of 0x54. The resulting data is written to the %appdata%\lsm.exe file path.

After this file is written, the malware executes the newly written lsm.exe file, which contains the Pisloader payload.”

The novelty discovered by the researchers at PaloAlto Networks is that the Pisloader leveraged DNS requests for C&C communications, in this way the malicious code is able to masquerade its activity.

The abuse of DNS queries was already observed by malware researchers, in March 2016 the experts from FireEye discovered a strain of POS malware dubbed Multigrain that steals card data from point-of-sale systems and exfiltrates it over DNS.

The Pisloade periodically sends a DNS beacon request to the C&C server that is hardcoded into the malware.

“The pisloader sample will send a beacon periodically that is composed of a random 4-byte uppercase string that is used as the payload. An example of this can be found below:

Wekby pisloader beacon


Figure 5 pisloader DNS beacon request

“The malicious code expects various aspects of the DNS responses to be set in a specific way, or else pisloader will ignore the DNS reply.”

The C2 server replies with a TXT record that can contain various commands for the malware.

The discovery made by experts at PaloAlto Networks demonstrates that the Wekby group is still active and it is involved in high-profile cyber-espionage campaigns using sophisticated malware.

If you appreciate my effort in spreading cyber security awareness, please vote for Security Affairs as best European Security Blog. Vote SecurityAffairs in every section it is reported. I’m one of the finalists and I want to demonstrate that the Security Affairs community a great reality.


Thank you


[adrotate banner=”9″]

Pierluigi Paganini

(Security Affairs – Wekby APT, China)

you might also like

leave a comment