Difficult-to-detect new malware hides in memory
Researchers at Cisco Systems Inc.’s Talos threat research group have published a report on a scary new form of malware that’s difficult to detect.
Dubbed DNSMessenger, the malware uses Microsoft PowerShell scripts to hide itself and connect directly with a server using a victim’s Domain Name Service port. It’s distributed as a Microsoft Word document spread through a phishing campaign, which attempts to appear like a known or reputable source.
Once opened, the file pretends to be a protected document secured by McAfee Security and asks the user to once again click to view the content that was supposedly in the original file. Not surprisingly, there’s no content in the file and the second click instead executes the malicious script in the file, eventually leading to the victim’s computer being compromised.
But that’s where the similarities with usual malware ends. Instead of writing the malicious code to the victim’s hard drive, the malware does everything in memory instead, making it difficult to detect. A second stage is stored in the Alternate Data Stream with the NTFS (standard Windows) file system or directly inside the registry, while a third-stage PowerShell script establishes communications with a command-and-control server via DNS. A DNS service is usually used to look up the Internet Protocol addresses associated with domain names, but in this case it is used to pass text messages instead.
What isn’t clear is exactly what sort of malicious commands the hackers are using the DNS backdoor to execute. “We were unable to get the C2 (command and control) infrastructure to issue us commands during our testing,” the Talos team said in a blog post Thursday. “Given the targeted nature of this attack, it is likely that the attackers would only issue active C2 commands to their intended target.”
While HTTP and HTTPS gateways are regularly monitored by networks, the same can’t be said for DNS, and the hackers are well aware of this.
“This malware sample is a great example of the length attackers are willing to go to stay undetected while operating within the environments that they are targeting,” the Talos team added. “It also illustrates the importance that in addition to inspecting and filtering network protocols such as HTTP/HTTPS, SMTP/POP3, etc. DNS traffic within corporate networks should also be considered a channel that an attacker can use to implement a fully functional, bidirectional C2 infrastructure.”
Image: Cisco Talos
A message from John Furrier, co-founder of SiliconANGLE:
Your vote of support is important to us and it helps us keep the content FREE.
One click below supports our mission to provide free, deep, and relevant content.
Join the community that includes more than 15,000 #CubeAlumni experts, including Amazon.com CEO Andy Jassy, Dell Technologies founder and CEO Michael Dell, Intel CEO Pat Gelsinger, and many more luminaries and experts.