Malware uses DNS protocol for command and control

In early March two Cisco Talos security researchers Edmund Brumaghin and Colin Grady released details of a multi-stage trojan horse which communicates with it’s creator(s) using the Domain Name Service (DNS)(defined) protocol.

Since DNS is a widely used essential protocol it is often allowed to pass through corporate and personal firewalls. The source of the malware is an email containing an attachment reportedly secured with McAfee. The attachment is a Microsoft Word document which when opened requests to enable macros (defined). If the user enables macros the macros unpacks a Microsoft PowerShell script (a computer programming language usually used for automating system administration tasks) which forms the second stage of the attack.

Next the script checks if currently logged in user has administrator rights for their Windows account and checks the installed version of PowerShell. The script then adds a backdoor (defined). If the earlier check for administrative privileges was positive the backdoor will persist after restarting or powering off the system. This backdoor uses DNS to receive and carry out commands from it’s creators.

While analysing this threat, the above mentioned security researchers did not witness the malware receiving DNS commands due to its targeted nature.

How can I protect myself from this threat?
Sine this malware arrives via email, please verify the emails you receive are genuine and not attempting to deliver malware. SANS recently provided extra advice on this (March 6th : source)

=======================
Don’t Trust Links Sent in Email Messages March 6, 2017
A common method cyber criminals use to hack into people’s computers is to send them emails with malicious links. People are tricked into opening these links because they appear to come from someone or something they know and trust. If you click on a link, you may be taken to a site that attempts to harvest your information or tries to hack into your computer. Only click on links that you were expecting. Not sure about an email? Call the person to confirm they sent it.
=======================

In addition if you inspect network traffic within your corporate network, please consider adding DNS to the list of protocols analysed. Attackers are likely to leverage this widely allowed protocol for command and control (defined) going forward.

Thank you.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s