The IT security researchers at Cisco’s security intelligence and research group Talos have discovered a malware that can fully hide its origins. The sample that the researchers analyzed was utilizing DNS TXT record queries/response for creating a “bidirectional Command and Control channel.” The findings of their research have been published in a report compiled by Edmund Brumaghin and Colin Grady.

The report suggests that attackers can easily infect a machine and use it for exchanging communications through the DNS (domain name system) for delivering other commands and acquiring salient malicious objectives. This hints at the fact that attackers are administering RAT and launching numerous phases of fileless Powershell, which Talos researchers found very unusual and evasive. It indicated that attackers are making it a point to avoid detection by utilizing all available tools and tactics. The report stated:

“This malware sample is a great example of the length attackers are willing to go to stay undetected while operating within the environments that they are targeting. It also illustrates the importance that in addition to inspecting and filtering network protocols such as HTTP/HTTPS, SMTP/POP3, etc.”

The attack has been named as DNSMessenger. When the user opens the Word file, which is in the form of a Protected Document that is McAfee secured, a message pops up asking the users to enable the content button that will lead to displaying of the document’s content. However, when the victim clicks on the button, malicious Powershell script is loaded. Powershell is a scripting language that is built into Windows OS and lets the system administration tasks to be automated. The malicious script performs its job in memory and does not write any infected files to the disk.

Screenshot of the malicious email

Then the Powershell script scans for different parameters on the Windows-based system such as identification of the Powershell version installed and the privileges of the user who is currently logged in. This information then determines the next step of the scam, which is launching of another Powershell script that is stored on the NTFS file system’s Alternate Data Stream (ADS) or in the registry. Then the third stage commences in which the Powershell script launches another obscured script that manages to create a link between the device and the control server through the DNS. From there on, the exchange of commands from the attackers starts.

We know that a majority of enterprises have already implemented tools to protect leaking of communications that pass through their web traffic but there are still many firms that lack such means of mitigating DNS-oriented attacks. It is also widely known fact that DNS is a very commonly used internet application protocol that almost all corporate networks heavily rely upon. Therefore, attackers are using all the resources to target the DNS with a variety of network protocols for evading detection.

According to Brumaghin and Grady, they started their investigation with tracking a Powershell script containing a base-64-encoded string. This script displayed the phrase “SourceFireSux.” This led to uploading of a sample to Hybrid Analysis, a public malware analysis sandbox. This was led by the appearance of a page on Pastebin where the researcher duo found a Word file that was also uploaded to a public sandbox.

The researchers noticed sharp similarities in the stages of infection in Word file and the Hybrid Analysis sandbox. Brumaghin and Grady then explored telemetry data and they obtained more samples. In their opinion, this Word file was serving as a phishing ploy because it showed message from an email security vendor and there was a malicious link too that was used to initiate the macro’s operations for decoding the Powershell payload and communicate with the Command and Control server. The communications with the control server were to be performed using DNS TXT queries and responses.

DDoS attacks are increasing, calculate the cost and probability of a DDoS attack on your business with this DDoS Downtime Cost Calculator.


Waqas Amir is a Milan-based cybersecurity journalist with a passion for covering latest happenings in cyber security and tech world. In addition to being the founder of this website, Waqas is also into gaming, reading and investigative journalism.