Malware authors never fail to find new ways of doing the same thing to go under the AV’s radar. Recently, Cisco’s security researchers team Talos spotted a novelty in controlling exploited computers. Dubbed DNSMessenger, it’s a Remote Administration Tool (RAT) that used DNS to communicate with Command Control server.
DNSMessenger Infection Chain
Even though attack vector includes a file, attack is executed completely in memory and doesn’t leave a trace on the disk.
- Document “secured by McAfee”
First step is opening Microsoft Word document with malicious Visual Basic for Applications (VBA) macro. Check this if you want to know more about Word documents as attack vector.
There’s a nice fake message removing in attempt to encourage people to allow macros.
- Getting PowerShell
VBA script uses Windows native tool PowerShell for administration and communication with the Command Control Server. VBA script runs a Create method to run PowerShell in the Windows Management Instrumentation (WMI) Win32_Process object.
Script adapts itself to the surroundings, mainly based on privileges of the exploited user and version of PowerShell. This is done in ‘pre_logic’ function below (deobfuscated code by Talos).
Based on the two switches, malware will decide whether to execute and add persistence. In addition to the switches, the function contains five parameters which are used to determine what subdomains to use when sending DNS TXT record queries in the next stage.
- Making itself at home
Based on the privileges of the exploited user (switch $add_persistence), PowerShell script will choose appropriate registry key:
If Administrator is exploited:
- $reg_win_path: “HKLM:SoftwareMicrosoftWindowsCurrentVersion”
- $reg_run_path: “HKLM:SoftwareMicrosoftWindowsCurrentVersionRun”
If ‘regular’ user is exploited:
- $reg_win_path: “HKCU:SoftwareMicrosoftWindows”
- $reg_run_path: “HKCU:SoftwareMicrosoftWindowsCurrentVersionRun”
Script then randomly chooses a domain to use for DNS from an array of hardcoded domains to perform initial DNS lookup. The contents of DNS TXT record from the both query and the response contain the synchronization information (SYN on diagram).
- Remote Access
At this moment, persistence is done and PowerShell Win32_Process is ready to receive commands through DNS TXT records. Exploited machine now sends DNS queries to receive the command (MSG on diagram). Here’s an instance of receiving command, captured by Wireshark:
String is reassembled, decompressed, base64 decoded into a cmd.exe command by PowerShell. The system is effectively owned by using PowerShell and DNS. Original communication channel helped a lot with AV heuristics check. Combined with the fact that attack is fileless, it was evasive for all AVs.
Although it wasn’t spotted in this exact malware, DNS-based RAT can also receive and run executable files via DNS TXT queries, just like conventional backdoors.
Conclusion
Malware authors frequently find innovations which put anti-virus opposition in tough spot. This sample is a great example why all internet traffic should be investigated when looking for malware.
TheBitcoinNews.com – Bitcoin News source since June 2011 –
Virtual currency is not legal tender, is not backed by the government, and accounts and value balances are not subject to consumer protections. TheBitcoinNews.com holds several Cryptocurrencies, and this information does NOT constitute investment advice or an offer to invest.
Everything on this website can be seen as Advertisment and most comes from Press Releases, TheBitcoinNews.com is is not responsible for any of the content of or from external sites and feeds. Sponsored posts are always flagged as this, guest posts, guest articles and PRs are most time but NOT always flagged as this. Expert opinions and Price predictions are not supported by us and comes up from 3th part websites.
Advertise with us : Advertise
Our Social Networks: Facebook Instagram Pinterest Reddit Telegram Twitter Youtube
