New malicious tools designed to improve attack efficiency
Since the initial report, the hackers behind the DNSpionage campaign have improved their attack methods and expanded their malicious toolset, as learned by Cisco Talos during February when they spotted new and updated malware being dropped during the attacks.
More to the point, as part of the new reconnaissance phase added to the campaign, "the malware drops a Windows batch file (a.bat) in order to execute a WMI command and obtain all the running processes on the victim's machine." This, coupled with a NetWkstaGetInfo() API request, allows it to collect workstation environment info designed to fingerprint the victim's machine.
The attackers also improved the malware's capability of hiding its activity by splitting API calls effectively breaking Yara rules designed to detect malicious activity based on specific strings.
... ...