Malware authors never fail to find new ways of doing the same thing to go under the AV’s radar. Recently, Cisco’s security researchers team Talos spotted a novelty in controlling exploited computers. Dubbed DNSMessenger, it’s a Remote Administration Tool (RAT) that used DNS to communicate with Command & Control server.
DNSMessenger Infection Chain
Even though attack vector includes a file, attack is executed completely in memory and doesn’t leave a trace on the disk.
- Document “secured by McAfee”
First step is opening Microsoft Word document with malicious Visual Basic for Applications (VBA) macro. Check this if you want to know more about Word documents as attack vector.
There’s a nice fake message removing in attempt to encourage people to allow macros.
- Getting PowerShell
VBA script uses Windows native tool PowerShell for administration and communication with the Command & Control Server. VBA script runs a Create method to run PowerShell in the Windows Management Instrumentation (WMI) Win32_Process object.
Script adapts itself to the surroundings, mainly based on privileges of the exploited user and version of PowerShell. This is done in ‘pre_logic’ function below (deobfuscated code by Talos).
Based on the two switches, malware will decide whether to execute and add persistence. In addition to the switches, the function contains five parameters which are used to determine what subdomains to use when sending DNS TXT record queries in the next stage.
- Making itself at home
Based on the privileges of the exploited user (switch $add_persistence), PowerShell script will choose appropriate registry key:
If Administrator is exploited:
- $reg_win_path: “HKLM:Software\Microsoft\Windows\CurrentVersion”
- $reg_run_path: “HKLM:Software\Microsoft\Windows\CurrentVersion\Run\”
If ‘regular’ user is exploited:
- $reg_win_path: “HKCU:Software\Microsoft\Windows”
- $reg_run_path: “HKCU:Software\Microsoft\Windows\CurrentVersion\Run\”
Script then randomly chooses a domain to use for DNS from an array of hardcoded domains to perform initial DNS lookup. The contents of DNS TXT record from the both query and the response contain the synchronization information (SYN on diagram).
- Remote Access
At this moment, persistence is done and PowerShell Win32_Process is ready to receive commands through DNS TXT records. Exploited machine now sends DNS queries to receive the command (MSG on diagram). Here’s an instance of receiving command, captured by Wireshark:
String is reassembled, decompressed, base64 decoded into a cmd.exe command by PowerShell. The system is effectively owned by using PowerShell and DNS. Original communication channel helped a lot with AV heuristics check. Combined with the fact that attack is fileless, it was evasive for all AVs.
Although it wasn’t spotted in this exact malware, DNS-based RAT can also receive and run executable files via DNS TXT queries, just like conventional backdoors.
Malware authors frequently find innovations which put anti-virus opposition in tough spot. This sample is a great example why all internet traffic should be investigated when looking for malware.