Security researchers have identified a multi-stage piece of malware that uses a number of innovative tricks to stay persistent on infected machines and employs the DNS infrastructure as a command-and-control mechanism.
The malware, analyzed by researchers at Cisco Talos, comes in the form of a rigged Word document contained in a phishing email. The document is designed to look as if it’s a protected file secured by McAfee, and it has a message that tells the recipient to enable content in order to see the contents. If the victim does that, the infection chain starts, a chain that includes several stages of Powershell and uses techniques that don’t require any files to be written to the machine’s memory.
“The code that is passed to Powershell via the command line is mostly Base64 encoded and compressed using gzip, with a small portion at the end that is not encoded which is then used to unpack the code and pass it to the Invoke-Expression Powershell cmdlet (IEX) for execution. This allows the code to be executed without ever requiring it to be written to the filesystem of the infected system,” Edmund Brumaghin and Colin Grady of Talos said in an analysis of the malware.
“The execution of the Powershell that is passed to IEX by the Stage 1 Word document is where we begin to observe several interesting activities occurring on an infected system.”
There are several different Powershell stages contained in the malware, dubbed DNSMessenger, and stages three and four both include arrays of domains that may be used by the malware for C2 communications. Many of the domains are hosted on lesser-used TLDs and appear to be randomly generated.
“The ‘logic’ function present within this Powershell script randomly selects a C2 domain from the second array in the script and uses this domain to perform an initial lookup. If the result of the initial DNS TXT record request is empty or in the case the lookup fails, the ‘do_lookup’ function is then called and randomly selects a domain from the first array in the script. Interestingly, the domains used by the ‘do_lookup’ function did not appear to have active ‘www’ or ‘mail’ TXT records,” the Talos analysis says.
“The script also uses specific subdomains which are combined with the domains and used for the initial DNS TXT record queries performed by the malware. The malware uses the contents of the TXT record in the response to these queries to determine what action to take next. For instance, the first subdomain is ‘www’ and a query response with a TXT record containing ‘www’ will instruct the script to proceed. Other actions that may be taken are ‘idle’ and ‘stop’.”
The malware uses DNS to request the fourth stage of the payload, which actually is transmitted over TCP because of its size. The domains used for C2 communications by this malware were registered on Feb. 8 and much of the activity on those domains associated with the malware occurred during the last week of February. The Cisco researchers said that while some of the techniques used by the malware have been seen before, they should provide an insight into the ways in which attackers are changing their tactics to stay ahead of the game.
“This malware sample is a great example of the length attackers are willing to go to stay undetected while operating within the environments that they are targeting. It also illustrates the importance that in addition to inspecting and filtering network protocols such as HTTP/HTTPS, SMTP/POP3, etc. DNS traffic within corporate networks should also be considered a channel that an attacker can use to implement a fully functional, bidirectional C2 infrastructure,” the researchers said.