DNSMessenger: a fileless RAT uses DNS queries to receive commands from the C&C

Theoretically invisible to standard anti-malware defenses.


Cisco’s Talos threat research group has recently discovered a new kind of RAT (Remote Access Trojan), called DNSMessenger.

DNSMessenger is completely fileless, it works only in memory and don’t save data on filestystem. 
Furthermore it uses DNS queries to conduct malicious PowerShell commands on compromised computers, a technique that makes it invisible to standard anti-malware defenses.

The malware spreads via a malicious Word document crafted to appear as if it were associated with a secure e-mail service that is secured by McAfee:


Once opened, the document launches a VBA macro to execute a PowerShell script in order to run the backdoor onto the target system.

The backdoor establishes a 2-way communications channel over DNS requests, using DNS TXT records that, by definition, allows a DNS server to attach unformatted text to a response.


The backdoor periodically sends DNS queries to one of a series of domains hard-coded in its source code.


As part of those requests, it retrieves the domain’s DNS TXT record, which contains further PowerShell commands that are executed but never written to the local system.


This malware sample is an excellent example of the length attackers are willing to go to stay undetected while operating within the environments that they are targeting.

It also illustrates the importance that in addition to inspecting and filtering network protocols such as HTTP/HTTPS, SMTP/POP3, etc. DNS traffic within corporate networks should also be considered a channel that an attacker can use to implement a fully functional, bidirectional C2 infrastructure.


More information and technical analysis on original post on Talo’s Blog:

http://blog.talosintelligence.com/2017/03/dnsmessenger.html

Comments