Security experts recently have taken to noting the increased sophistication of the tactics of threat actors. A column this week from Cisco Systems’ Talos threat intelligence service about a new attack vector gives new meaning to the word.
Briefly, it used DNS TXT records to create a bidirectional command and control (C2) channel to directly interact with the Windows Command Processor and gain control of an enterprise DNS server. The technique is being copied.
The attack investigated by Talos started in a traditional way, with a spoofed email that contained a document with malware. In this particular attack, the email was made to appear to be from the U.S. Securities and Exchange Commission’s EDGAR document filing system for publicly traded companies. When opened the Microsoft Word attachment would initiate a multi-stage infection process leading to infection with DNSMessenger malware. “Rather than leveraging macros or OLE objects, which are some of the most common ways that Microsoft Word documents are leveraged to execute code, these attachments leveraged Dynamic Data Exchange (DDE) to perform code execution,” say researchers.
When opened, Windows does warn the document contains links to external files and asks the recipient to allow/deny the content to be retrieved and displayed. If the user said yes the malicious document would reach out to attacker-hosted content to retrieve code that will be executed to initiate the malware infection. In this particular case it retrieved code — downloaded and executed directly using Powershell.– that the attacker had initially hosted on a hacked Louisiana state government website.
That downloaded code executes the next stages of the infection process. It is also responsible for achieving persistence on systems, including determining the access privileges of the user to determine how to proceed with achieving persistence.
Through some trickery the malware creates a hostname that will be used to start making DNS requests.
“This attack shows the level of sophistication that is associated with threats facing organizations today,” write the researchers. “Attackers often employ multiple layers of obfuscation in an attempt to make analysis more difficult, evade detection and prevention capabilities, and continue to operate under the radar by limiting their attacks to only the organizations that they are targeting.
“It is also important for organizations to be aware of some of the more interesting techniques that malware is using to execute malicious code on systems and gain persistence on systems once they are infected. In this particular case, the malware featured the capability to leverage WMI, ADS, scheduled tasks, as well as registry keys to obtain persistence. The use of DNS as a conveyance for later stage code and C2 communications is also becoming more and more commonplace.
One lesson — valuable during Cyber Security Awareness Month — is to again hammer home to employees the danger of opening attachments and links. In this case one warning sign was the brief email message. “Important information about last changes in EDGAR filings. ” It might have been hard for a staffer to hold off since the attacker went to a lot of trouble to make communications look authentic, but the Word warning should have been enough to at least ask a manager if going further was safe. One clue staff should watch out for: Is the message one they were expecting?
CISOs should also take away the importance of having Web and email gateways that not only help detect malware but also prevent users from connecting to known malicious domains, IPs, and URLs.