DNSMessenger backdoor/RAT uses DNS queries to communicate with C&C server

How to make sure that your malware will be able to communicate with its C&C servers even if the infected machine sits behind a company firewall and traffic to and from the corporate network is regularly inspected? Pack the needed information into DNS traffic.

For one thing, DNS traffic is very rarely blocked, as it is needed to allow users to access network resources by name (instead by IP addresses). Secondly, DNS traffic monitoring and filtering is not that widespread as that of network protocols such as HTTP/HTTPS, SMTP/POP3, and so on.

But maybe it’s time for such a practice to become a must for all companies as, according to Cisco Talos researchers, “over 90% of malware makes use of the DNS network protocol at some stage of the infection or post-infection process.”

DNSMessenger – as they dubbed a malicious backdoor RAT that they’ve recently analyzed – uses it receive instructions from one of many C&C servers.

DNSMessenger: A multi-stage menace

The road to collecting the various payloads that ultimately result in the malware being safely ensconced in target system was long, but they’ve succeeded, and they have pieced together the entire attack.

It all starts with a malicious Word document being delivered as an attachment in a phishing email message. Downloading and opening the file will face the target with a Word document that is made to appear as if it were associated with an email service secured by McAfee:

If the victim does as instructed in the document, a Visual Basic for Applications (VBA) macro will trigger the unpacking and execution of a string of PowerShell commands, one after the other, in several stages.

The malware is thus able to:

• Determine whether or not to achieve persistence
• Determine how to best achieve persistence (depending on the access rights of the user account within which the malware is operating)
• Determine what domains (and subdomains) to use when sending DNS TXT record queries (it can choose among two lists of hardcoded domains – a main and a backup one)
• Download the final malicious payload that is delivered with the help of TCP.

This fourth stage malware can receive instructions from the C&C server via DNS TXT message requests, and those can be executed and their results communicated to the attackers behind the C&C server.

It is unknown what specific instructions the attackers send, but the malware allows them to execute any system or application command available on the infected machine.

The researchers have noted a @yandex.com email address associated with the C&C domains, but it’s impossible to say who is behind this malware, or what the malware is meant to do.

Still, it seems obvious that it is used for extremely targeted attacks, likely cyber espionage campaigns aimed at corporate environments.