Tuesday, 7 March 2017

Cisco's Research : Malware uses DNS Queres to receive PowerShell Commands



The latest example of such attack is DNSMessenger – a new Remote Access Trojan (RAT) that uses DNS queries to conduct malicious PowerShell commands on compromised computers – a technique that makes the RAT difficult to detect onto targeted systems.
The Trojan came to the attention of Cisco's Talos threat research group by a security researcher named Simpo, who highlighted a tweet that encoded text in a PowerShell script that said 'SourceFireSux.' SourceFire is one of Cisco's corporate security products.

DNSMessenger attack is completely Fileless...!


Click to view full size image


When opened, the document launches a Visual Basic for Applications (VBA) macro to execute a self-contained PowerShell script in an attempt to run the backdoor onto the target system.

What's interesting? Everything, until this point, is done in memory, without writing any malicious files to the system's disk.

Next, the VBA script unpacks a compressed and sophisticated second stage of PowerShell, which involves checking for several parameters of the target environment, like the privileges of the logged-in user and the version of PowerShell installed on the target system.

This information is then used to ensure persistence on the infected host by changing the Windows Registry and installing a third stage PowerShell script that contains a simple backdoor.

The backdoor is being added to the Windows Management Instrumentation (WMI) database, if the victim does have administrative access, allowing the malware backdoor to stay persistent on the system even after a reboot.

The backdoor is an additional script that establishes a sophisticated 2-way communications channel over the Domain Name System (DNS) – usually used to look up the IP addresses associated with domain names, but has support for different types of records.

The DNSMessenger malware backdoor uses DNS TXT records that, by definition, allows a DNS server to attach unformatted text to a response.

The backdoor periodically sends DNS queries to one of a series of domains hard-coded in its source code. As part of those requests, it retrieves the domain's DNS TXT record, which contains further PowerShell commands that are executed but never written to the local system.

Now, this "fourth stage" Powershell script is the actual remote control tool used by the malware attacker.

This script queries the command-and-control servers via DNS TXT message requests to ask what commands to execute. Any command received is then executed, and the output is communicated back to the C&C server, allowing the attacker to execute any Windows or application commands on the infected system.

All attackers need to do is leave malicious commands and instructions inside the TXT records of their domains, which, when queried, is executed via the Windows Command Line Processor, and the output is sent back as another DNS query.

The domains registered by the DNSMessenger RAT are all down, so till now, it is not known that what types of commands the attackers relayed to infected systems. However, the researchers say this particular RAT was used in a small number of targeted attacks. 

1 comment:

  1. CONTACT: onlineghosthacker247 @gmail. com
    -Find Out If Your Husband/Wife or Boyfriend/Girlfriend Is Cheating On You
    -Let them Help You Hack Any Website Or Database
    -Hack Into Any University Portal; To Change Your Grades Or Upgrade Any Personal Information/Examination Questions
    -Hack Email; Mobile Phones; Whatsapp; Text Messages; Call Logs; Facebook And Other Social Media Accounts
    -And All Related Services
    - let them help you in recovery any lost fund scam from you
    onlineghosthacker Will Get The Job Done For You
    onlineghosthacker247 @gmail. com
    TESTED AND TRUSTED!

    ReplyDelete

Thanks for reading this article.
Please comment your reviews..This will help us improve.

Popular Posts