Researchers have discovered a new version of the DNS Messenger attack which masquerades as the US Securities and Exchange Commission (SEC) and hosts malware on compromised government servers.
On Wednesday, security researches from Cisco Talos revealed the results of an investigation into DNS Messenger, a fileless attack which uses DNS queries to push malicious PowerShell commands on compromised computers.
A new version of this attack, which the team say is “highly targeted in nature,” now attempts to compromise victim systems by pretending to be the SEC Electronic Data Gathering Analysis, and Retrieval (EDGAR) system — recently at the heart of a data breach related to financial fraud — in specially crafted phishing email campaigns.
These spoofed emails made them seem legitimate, but should a victim open them and download a malicious attachment contained within, a “multi-stage infection process” begins.
The malicious attachments used in this campaign are Microsoft Word documents. However, rather than using macros or OLE objects to gain a foothold into a system, the threat actors used a less common method of infection, Dynamic Data Exchange (DDE), to perform code execution and install a remote access Trojan (RAT).
It is important to note that Microsoft says that DDE is not an exploitable issue, but rather a feature “by design,” and will not be removed.
Talos disagrees, and claims that the team has witnessed DDE “actively being used by attackers in the wild, as demonstrated in this attack.”
According to Talos, the latest malware campaign is similar to its last evolution. The infection process uses DNS TXT records to create a bidirectional command-and-control (C2) channel, in which attackers are able to interact with the Windows Command Processor using the contents of DNS TXT record queries and responses generated from the threat actor’s DNS server.
When opened, users are asked to permit external links to be retrieved. Should they agree, the malicious document reaches out to an attacker-controlled command-and-control (C&C) server which executes the first malware infection.
This malware was initially hosted on a Louisiana state government website, “seemingly compromised and used for this purpose,” according to the team.
Speaking to ZDNet, Craig Williams, Senior Technical Leader at Cisco Talos said that by the time the findings were made public, the files were removed from the server.
PowerShell commands then come into play. Code is retrieved, obfuscated, and then executed, which kicks off persistence on systems, registry rewrites, scheduled task creation, and DNS requests are made.
“In this particular case, the malware featured the capability to leverage WMI, ADS, scheduled tasks, as well as registry keys to obtain persistence,” the researchers note. “The use of DNS as a conveyance for later stage code and C2 communications is also becoming more and more commonplace.”
While the team was unable to obtain the next stage of PowerShell code from the C2 servers, Talos says it is likely that communications are restricted to prevent security researchers from being able to track the team and their techniques further, making it more likely that their DNS-based attacks can fly under the radar for longer periods.
However, according to researcher Anthony Yates, he was able to secure the final payload by analyzing some of the findings.
Yates says that the payload is typical C&C bot code, and includes information gathering commands — suggesting the purpose of the DNS attack is for cyberespionage.
“Attackers often employ multiple layers of obfuscation in an attempt to make analysis more difficult, evade detection and prevention capabilities, and continue to operate under the radar by limiting their attacks to only the organizations that they are targeting,” Talos says. “It is also important for organizations to be aware of some of the more interesting techniques that malware is using to execute malicious code on systems and gain persistence on systems once they are infected.”