SEC spoofed, malware hosted on US govt server
A new version of DNS Messenger attack was discovered by the researcher, which masquerades as the SEC US Securities and Exchange Commission and plants malware on government server that is compromised.
Cisco Talos revealed a result of an investigation into DNS messenger, as the security researchers found a filess attack, which push malicious PowerShell commands into the DNS queries and pass them onto compromised computers.
This new Malware gives the user an impression that it is from the SEC Electronic Data Gathering Analysis, and Retrieval system, and it is highly targeted in nature. It is a highly crafted phishing email campaign, as found in the recent data breach related financial fraud.
The email looks legitimate, but once the victim clicks and open the link the malicious virus finds it route an settles in the system, and then begins the multi-stage infection process.
Microsoft Word is the primary carrier of this malicious attachment. The hackers use less common method of infection rather than using macro or OLE objects. They have Dynamic Data Exchange, to perform code execution to gain foothold followed by which they install a remote access Trojan.
As per Microsoft DDE is a feature, and will not be removed, and it is not an exploitable issue.
Talos disagrees, and claims that the team has witnessed DDE “actively being used by attackers in the wild, as demonstrated in this attack.”
According to Talos, “the latest malware campaign is similar to its last evolution. The infection process uses DNS TXT records to create a bidirectional command-and-control (C2) channel, in which attackers are able to interact with the Windows Command Processor using the contents of DNS TXT record queries and responses generated from the threat actor’s DNS server”.
When clicked on the link the User is asked to allow external link to be retrieved, once they click their consent the malicious document it is then taken over by the attacker, who will have the control and command of the server that executes the first malware.
According to the team ‘The Louisiana state government’s website was the first target where this malware was initially hosted, and “seemingly compromised and used for this purpose.
Craig Williams, a Senior Technical Leader at Cisco Talos when talking to ZDNet team said that by the time the findings were made public, the files were removed from the server.
PowerShell commands then come into play. Code is retrieved, obfuscated, and then executed, which kicks off persistence on systems, registry rewrites, scheduled task creation, and DNS requests are made.
“In this particular case, the malware featured the capability to leverage WMI, ADS, scheduled tasks, as well as registry keys to obtain persistence,” the researchers note. “The use of DNS as a conveyance for later stage code and C2 communications is also becoming more and more commonplace.”
While the team was unable to obtain the next stage of PowerShell code from the C2 servers, Talos says it is likely that communications are restricted to prevent security researchers from being able to track the team and their techniques further, making it more likely that their DNS-based attacks can fly under the radar for longer periods.
“Attackers often employ multiple layers of obfuscation in an attempt to make analysis more difficult, evade detection and prevention capabilities, and continue to operate under the radar by limiting their attacks to only the organizations that they are targeting,” Talos says. “It is also important for organizations to be aware of some of the more interesting techniques that malware is using to execute malicious code on systems and gain persistence on systems once they are infected.”
Julia Sowells918 Posts
Julia Sowells has been a technology and security professional. For a decade of experience in technology, she has worked on dozens of large-scale enterprise security projects, and even writing technical articles and has worked as a technical editor for Rural Press Magazine. She now lives and works in New York, where she maintains her own consulting firm with her role as security consultant while continuing to write for Hacker Combat in her limited spare time.