US government server hosted malware in new DNS attack

12.10.2017

DNS-Messenger-attack

 

A compromised US government server has been used to host malware in an attack chain.

Cybersecurity specialists from Cisco Talos have unveiled a new version of the DNS Messenger attack which disguises as the US Securities and Exchange Commission (SEC) and hosts malware on compromised government servers.

Cisco Talos has revealed the results of an investigation into DNS Messenger, a fileless attack that uses DNS queries to execute malicious PowerShell commands on compromised computers.

The new version of this attack, which, according to the team, is "highly targeted by nature" and now attempts to compromise victims' systems by pretending to be an update to the SEC EDGAR system, which was recently the focus of a data breach related to financial fraud in specially crafted phishing email campaigns.

These spoofed emails seem legitimate, but if the victim opens them and downloads the malicious attachment, a "multi-stage infection process" begins.

The malicious attachments used in this campaign are Microsoft Word documents. Instead of using macros or OLE objects, hackers use a less common method of infection, Dynamic Data Exchange (DDE), to perform code execution and install a remote access Trojan (RAT).

According to Microsoft, DDE is not a problem that can be exploited by hackers, but rather a feature "by design" and the company refuses to fix it.

Cisco Talos disagrees and claims that has witnessed DDE "actively being used by attackers in the wild, as demonstrated in this attack."

The cybersecurity team says the latest malware campaign is similar to the previous one. The infection process uses DNS TXT records to create a bidirectional C&C channel to allow hackers to interact with the Windows Command Processor using the contents of DNS TXT record queries and responses generated from the threat hacker's DNS server.

When opened, the user is required to permit the external links to be retrieved. If he agrees, the malicious document connects to the hacker's C&C server which executes the first malware infection.

This malware was initially hosted on a Louisiana state government website, "seemingly compromised and used for this purpose," according to Cisco Talos.

Hackers use PowerShell commands, then the code is extracted, disguised, and then executed, which gives it persistence on systems, registry rewrites, scheduled task creation, and DNS requests are made.

"In this particular case, the malware featured the capability to leverage WMI, ADS, scheduled tasks, as well as registry keys to obtain persistence. The use of DNS as a conveyance for later stage code and C2 communications is also becoming more and more commonplace," said Cisco Talos.

Would you like to comment on this article?

Share

Latest news

15.12.2017

Hacker removed malware from Netgear site, the company failed to do so for 2 years

An anonymous hacker has removed malware from a Netgear site after the company failed to clean up a malware infection for more than two years.

15.12.2017

Hacker robbed church in Northern Ireland

The hacker told the priest that the church computer should be remotely accessible to fix an internet problem.

15.12.2017

Synaptics to remove keylogger from its drivers

The company has decided to remove the keylogger functionality from its products.

Sign up for our online newsletter!