Researchers at Talos, Cisco's Security Intelligence and Research Group, released findings of their investigation into a curious piece of malware that, they determined, went to great lengths to disguise its origins.
The sample "made use of DNS TXT record queries and responses to create a bidirectional Command and Control (C2) channel," they wrote.
This tactic enables attackers, once a machine is initially infected, to use communications passing through the Domain Name System (DNS) to deliver subsequent commands and deliver results back to the attacker. In other words, a RAT is being administered, but, the researchers explain, this is a highly unusual and evasive way to do it. The fact that the attacker is launching several stages of Powershell, with a number of those completely fileless, indicates the degree to which they are attenpting to evade detection, the authors stated.
DNS is, of course, a widely used internet application protocol used on most corporate networks. While many enterprises have tools in place to defend egress of communications passing through their web traffic, many others lack the means to mitigate such DNS-based attacks as this one, the authors said, adding that it is why it's an attractive vector for attackers who pollute the DNS with different network protocols as a means of hiding their activities.
The authors of the report, Edmund Brumaghin and Colin Grady, began their investigation by tracking a Powershell script that contained a base64-encoded string with the phrase 'SourceFireSux'. Their tracking led to a sample uploaded to the public malware analysis sandbox, Hybrid Analysis, followed by a clue on a Pastebin page that led them to a Word doc also uploaded to a public sandbox. Noticing similarities in the multiple-stage infection process in the Word doc and the sample on the Hybrid Analysis sandbox, the researchers then dug into telemetry data and identified further samples.
The Word doc appeared to be a message from an email security vendor, so targets of the phishing email were inclined to trust the message, click on the malicious link and start the macro's operations, which after several stages, decodes the Powershell payload to communicate with the C2 server.
All C2 communications associated with this malware are performed using DNS TXT queries and responses, the researchers found.
"This malware sample is a great example of the length attackers are willing to go to stay undetected while operating within the environments that they are targeting," they concluded. "It also illustrates the importance that in addition to inspecting and filtering network protocols such as HTTP/HTTPS, SMTP/POP3, etc."
"This sample was fairly unusual due to its complexity and evasive nature," Craig Williams, senior technical leader and global outreach manager at Talos, told SC Media on Friday. "By utilizing txt records for command and control (c2), the attack would bypass most security devices and allow an attacker to remotely control the box undetected."
It's important to note, Williams said, that due to the nature of this c2 infrastructure a victim's own DNS server can effectively be used against them.
