This cyber attack gives new meaning to the word ‘sophisticated’

Security experts recently have taken to noting the increased sophistication of the tactics of threat actors. A column this week from Cisco Systems’ Talos threat intelligence service about a new attack vector gives new meaning to the word.

Briefly, it used DNS TXT records to create a bidirectional command and control (C2) channel to directly interact with the Windows Command Processor and gain control of an enterprise DNS server. The technique is being copied.

The attack investigated by Talos started in a traditional way, with a spoofed email that contained a document with malware. In this particular attack, the email was made to appear to be from the U.S.  Securities and Exchange Commission’s EDGAR document filing system for publicly traded companies. When opened the Microsoft Word attachment would initiate a multi-stage infection process leading to infection with DNSMessenger malware. “Rather than leveraging macros or OLE objects, which are some of the most common ways that Microsoft Word documents are leveraged to execute code, these attachments leveraged Dynamic Data Exchange (DDE) to perform code execution,” say researchers.

When opened, Windows does warn the document contains links to external files and asks the recipient to allow/deny the content to be retrieved and displayed. If the user said yes the malicious document would reach out to attacker-hosted content to retrieve code that will be executed to initiate the malware infection. In this particular case it retrieved code — downloaded and executed directly using Powershell.– that the attacker had initially hosted on a hacked Louisiana state government website.

Screen shot of Word warning. Image from Cisco Talos

That downloaded code executes the next stages of the infection process. It is also responsible for achieving persistence on systems, including determining the access privileges of the user to determine how to proceed with achieving persistence.

Through some trickery the malware creates a  hostname that will be used to start making DNS requests.

“This attack shows the level of sophistication that is associated with threats facing organizations today,” write the researchers. “Attackers often employ multiple layers of obfuscation in an attempt to make analysis more difficult, evade detection and prevention capabilities, and continue to operate under the radar by limiting their attacks to only the organizations that they are targeting.

“It is also important for organizations to be aware of some of the more interesting techniques that malware is using to execute malicious code on systems and gain persistence on systems once they are infected. In this particular case, the malware featured the capability to leverage WMI, ADS, scheduled tasks, as well as registry keys to obtain persistence. The use of DNS as a conveyance for later stage code and C2 communications is also becoming more and more commonplace.

One lesson — valuable during Cyber Security Awareness Month — is to again hammer home to employees the danger of opening attachments and links. In this case one warning sign was the brief email message. “Important information about last changes in EDGAR filings. ” It might have been hard for a staffer to hold off since the attacker went to a lot of trouble to make communications look authentic, but the Word warning should have been enough to at least ask a manager if going further was safe. One clue staff should watch out for: Is the message one they were expecting?

CISOs should also take away the importance of having Web and email gateways that not only help detect malware but also prevent users from connecting to known malicious domains, IPs, and URLs.

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Article

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows that as the demand for skilled workers...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now