Researchers identified a possible new collaborator in the continued Shamoon attacks against Saudi organizations. Arbor Networks said that it has new leads on a credential stealing remote access Trojan (RAT) called Ismdoor, possibly used by Greenbug to steal credentials on Shamoon s behalf. Greenbug is using DNS TXT record queries and responses to create bidirectional command and control channel. The DNS attack technique is used primarily by Greenbugs for stealing credentials, researcher Dennis Schwarz said. He said using this technique, data is also be exfiltrated from the machines as well.
Source: https://threatpost.com/shamoon-collaborator-greenbug-adopts-new-communication-tool/125383/