DNSMessenger comms

Malware researchers have come across a new Remote Access Trojan (RAT) that uses a novel technique to evade detection on corporate networks by fetching malicious PowerShell commands stored inside a domain's DNS TXT records.

The malware, nicknamed DNSMessenger, was first detected by a security researcher named Simpo.

The RAT came to the attention of the Cisco Talos security team after Simpo discovered a Base64 string that translated back to "SourceFireSux," SourceFire being one of Cisco's corporate security products.

This wasn't up to Cisco's liking, and its researchers decided to investigate further. What they found was a malware that was more advanced than they ever expected.

According to a technical analysis that broke down the malware's every feature, infections started when victims received a Word document via email.

Word document used in the attacks
Word document used in the attacks (via Cisco)

If victims opened the files and turned on macro support, a VBA script would unpack a self-contained PowerShell script and execute it.

This script contained basic instructions to ensure persistence on the infected host by modifying registry keys, checking PowerShell versions, and other operations.

This was also the first phase of a four-stage infection process. During the following stages, the malware would send DNS queries to one of multiple domains hardcoded in its source code.

List of domains

The DNS queries would retrieve the domain's DNS TXT record. These small snippets of text that registrars allow domain owners to add to their DNS entry contained base64-encoded PowerShell commands, which loaded more of DNSMessenger's components in the victim's RAM memory, without leaving any traces of malicious code on disk, where most security products can scan for suspicious artifacts.

This memory-based malicious code would then allow the attacker to interact with the victim's computer by relaying shell commands from the attacker and reading their output.

The get the commands it needed to execute, the malware would use other DNS queries to another list of domains, slightly similar to the first.

List of domains

At this point, all attackers had to do was to leave commands and other instructions inside the TXT records of their domains. The malware would query for the domain's DNS TXT record, get the command, execute via the Windows Command Line Processor, and send the output back as another DNS query.

At the time of writing, the domains registered and used by the RAT are all down. Because of this, we still don't know what types of commands the attackers relayed to infected hosts.

The high level of sophistication of this particular RAT suggests it was used in a small number of targeted attacks.

Cisco says that because the malware used DNS queries to hide its activity unless the target company was monitoring DNS traffic, the infection would have never been picked up.

DNS used in the past to hide stolen data, C&C server comms

Most of today's enterprise and home security products monitor HTTP/S traffic primarily. There are very few solutions that monitor DNS traffic, and most are enterprise-grade only. This is also one of the reasons Cisco bought OpenDNS and its Umbrella product in 2015.

In the past, malware had primarily used DNS to exfiltrate stolen data from a compromised network. For example, the MULTIGRAIN POS malware encoded stolen credit card data and hid it inside DNS requests, which it made to its own DNS servers, and by doing so logging all stolen data.

Malware like Feederbot (botnet) and PlugX (cyberespionage) have also used DNS requests to communicate with their command and control (C&C) servers, just like DNSMessenger. The only difference is that this particular RAT hid more than C&C commands, but also entire PowerShell scripts for escalating an infection.