DNSMessenger

The DNSMessenger remote access trojan (RAT) was first detected by a security researcher, Simpo, in February 2017. It is a sophisticated RAT and is likely used in targeted attacks. According to further investigation conducted by Cisco Talos, DNSMessenger uses malicious macros in Word documents to infect victims. The VBA script in the macro unpacks a self-contained PowerShell script and executes it. The script contains code to ensure persistence on the infected host by modifying registry keys and verifying PowerShell versions. DNSMessenger then sends DNS queries to one of the domains included in its source code. The queries retrieve the domain’s DNS TXT record, small snippets of text that domain owners add to DNS entries containing base64-encoded PowerShell commands. This loads more DNSMessenger components in the victim’s RAM memory without leaving any trace of malware code on the disk. This memory-based code allows the attacker to interact with the victim’s computer by relaying shell commands from the attacker and reading their output. It can use other DNS queries to get the commands it needs from another list of domains. The attackers leave commands inside the TXT records of their domains, the trojan queries for it, gets the command, executes it via the Windows Command Line Processor, and sends the output back as another DNS query. In early March, the domains used and registered by the trojan are all down, preventing researchers from identifying the commands the attackers relayed to the victims. Unless victims monitor their DNS traffic, the infection will not be discovered as DNSMessenger uses DNS queries to hide its activity.

Reporting

  • October 2017: Threat actors exploit DDE to spread DNSMessenger. (Cisco Talos)

Technical Details

  • Cisco Talos provides technical analysis of the DNSMessenger RAT, here.