A unique attack called DNSMessenger uses DNS queries to carry out malicious PowerShell commands on compromised computers, a method that researchers said makes it difficult to detect that a remote access Trojan is being dropped onto targeted systems.
According to experts at Cisco’s security research outfit Talos, the infection chain begins with a rigged Word document sent to recipients who are encouraged to “enable content” so they can view a message. If enabled, the document launches a Visual Basic for Applications macro that opens the initial PowerShell command that ultimately leads to the multistage attack and the eventual installing of a remote access Trojan.
“This is an extremely uncommon and evasive way of administering a RAT. The use of multiple stages of Powershell with various stages being completely fileless indicates an attacker who has taken significant measures to avoid detection,” wrote Cisco’s Edmund Brumaghin and Colin Grady.
The initial PowerShell instructions that are executed are contained within the Word document itself.
Researchers said the attack is unique because it does not involve a typical infection chain that includes files written to the targeted system. Instead, the malware infection technique uses DNS TXT messaging capabilities to request and fetch malicious PowerShell commands stored remotely as DNS TXT records.
Researchers said the malware sample uses DNS TXT record queries and responses creating a bidirectional command and control channel. “This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker,” researchers wrote.
According to a technical analysis, attackers leveraged multiple VBA scripts, each unpacking a unique self-contained PowerShell script. During each of the stages in the infection process, malware would send DNS queries to one of multiple domains hardcoded in the script.
“The document uses the Document_Open() function to call another VBA function. The called function sets a long string that defines a Powershell command and includes the code to be executed. The command is then executed using the Windows Management Interface (WMI) Win32_Process object using the Create method,” researchers said.
This process, “allows the code to be executed without ever requiring it to be written to the filesystem of the infected system,” according to Talos.
The objective of the multi-stage infection process is to determine access privileges of the targeted system, what version of PowerShell is installed on the system, make changes to the Windows Registry and open a backdoor in order to maintain persistence.
Cisco notes that DNSMessenger demonstrates the ingenuity and lengths attackers are going to avoid detection. “It also illustrates the importance that in addition to inspecting and filtering network protocols such as HTTP/HTTPS, SMTP/POP3, etc. DNS traffic within corporate networks should also be considered a channel that an attacker can use to implement a fully functional, bidirectional C2 infrastructure,” researchers wrote.
“This appears to have been a fairly targeted attack and was not very widespread compared to other campaigns we regularly observe,” said Brumaghin. He added the intent of the malware is unclear. “We were unable to get the C2 infrastructure to send commands to execute. This is common with targeted attacks as the attackers will only choose to send commands to their intended victim.”
Cisco Talos credits security researcher @simpo13 for bringing the malware to its attention. Ironically, @simpo13 approached Talos because he found inside the code a references (“SourceFireSux”) to Cisco’s SourceFire security appliances.