Covert Channels and Poor Decisions: The Tale of DNSMessenger

 In Malware

Header image from http://blog.talosintelligence.com/2017/03/dnsmessenger.html

The Domain Name System (DNS) is one of the most commonly used Internet application protocols on corporate networks. It is responsible for providing name resolution so that network resources can be accessed by name, rather than requiring users to memorize IP addresses. While many organizations implement strict egress filtering as it pertains to web traffic, firewall rules, etc. many have less stringent controls in place to protect against DNS based threats. Attackers have recognized this and commonly encapsulate different network protocols within DNS to evade security devices.

Typically this use of DNS is related to the exfiltration of information. Talos recently analyzed an interesting malware sample that made use of DNS TXT record queries and responses to create a bidirectional Command and Control (C2) channel. This allows the attacker to use DNS communications to submit new commands to be run on infected machines and return the results of the command execution to the attacker. This is an extremely uncommon and evasive way of administering a RAT. The use of multiple stages of Powershell with various stages being completely fileless indicates an attacker who has taken significant measures to avoid detection.

VirusTotal: https://www.virustotal.com/file/340795d1f2c2bdab1f2382188a7b5c838e0a79d3f059d2db9eb274b0205f6981/analysis/1488479981/

Read more: http://blog.talosintelligence.com/2017/03/dnsmessenger.html 

Indicators of Compromise:

category type value comment
Network activity domain algew.me C2 Domains:
Network activity domain aloqd.pw C2 Domains:
Network activity domain bpee.pw C2 Domains:
Network activity domain bvyv.club C2 Domains:
Network activity domain bwuk.club C2 Domains:
Network activity domain cgqy.us C2 Domains:
Network activity domain ckwl.pw C2 Domains:
Network activity domain cihr.site C2 Domains:
Network activity domain cnmah.pw C2 Domains:
Network activity domain coec.club C2 Domains:
Network activity domain cuuo.us C2 Domains:
Network activity domain daskd.me C2 Domains:
Network activity domain dbxa.pw C2 Domains:
Network activity domain dlex.pw C2 Domains:
Network activity domain doof.pw C2 Domains:
Network activity domain dtxf.pw C2 Domains:
Network activity domain dvso.pw C2 Domains:
Network activity domain dyiud.com C2 Domains:
Network activity domain eady.club C2 Domains:
Network activity domain enuv.club C2 Domains:
Network activity domain eter.pw C2 Domains:
Network activity domain fbjz.pw C2 Domains:
Network activity domain futh.pw C2 Domains:
Network activity domain fhyi.club C2 Domains:
Network activity domain gjcu.pw C2 Domains:
Network activity domain gjuc.pw C2 Domains:
Network activity domain gnoa.pw C2 Domains:
Network activity domain grij.us C2 Domains:
Network activity domain gxhp.top C2 Domains:
Network activity domain hvzr.info C2 Domains:
Network activity domain idjb.us C2 Domains:
Network activity domain ihrs.pw C2 Domains:
Network activity domain jimw.club C2 Domains:
Network activity domain jomp.site C2 Domains:
Network activity domain jxhv.site C2 Domains:
Network activity domain kjke.pw C2 Domains:
Network activity domain kshv.site C2 Domains:
Network activity domain kwoe.us C2 Domains:
Network activity domain ldzp.pw C2 Domains:
Network activity domain lhlv.club C2 Domains:
Network activity domain lnoy.site C2 Domains:
Network activity domain lvrm.pw C2 Domains:
Network activity domain lvxf.pw C2 Domains:
Network activity domain mfka.pw C2 Domains:
Network activity domain mewt.us C2 Domains:
Network activity domain mjet.pw C2 Domains:
Network activity domain mjut.pw C2 Domains:
Network activity domain mxfg.pw C2 Domains:
Network activity domain mvze.pw C2 Domains:
Network activity domain nroq.pw C2 Domains:
Network activity domain nwrr.pw C2 Domains:
Network activity domain nxpu.site C2 Domains:
Network activity domain odwf.pw C2 Domains:
Network activity domain oaax.site C2 Domains:
Network activity domain odyr.us C2 Domains:
Network activity domain okiq.pw C2 Domains:
Network activity domain oknz.club C2 Domains:
Network activity domain ooep.pw C2 Domains:
Network activity domain ooyh.us C2 Domains:
Network activity domain otzd.pw C2 Domains:
Network activity domain oxrp.info C2 Domains:
Network activity domain oyaw.club C2 Domains:
Network activity domain pafk.us C2 Domains:
Network activity domain palj.us C2 Domains:
Network activity domain pbbk.us C2 Domains:
Network activity domain ppdx.pw C2 Domains:
Network activity domain pvze.club C2 Domains:
Network activity domain qefg.info C2 Domains:
Network activity domain qlpa.club C2 Domains:
Network activity domain qznm.pw C2 Domains:
Network activity domain reld.info C2 Domains:
Network activity domain rnkj.pw C2 Domains:
Network activity domain rzzc.pw C2 Domains:
Network activity domain soru.pw C2 Domains:
Network activity domain sgvt.pw C2 Domains:
Network activity domain swio.pw C2 Domains:
Network activity domain tijm.pw C2 Domains:
Network activity domain tsrs.pw C2 Domains:
Network activity domain ueox.club C2 Domains:
Network activity domain turp.pw C2 Domains:
Network activity domain ufyb.club C2 Domains:
Network activity domain utca.site C2 Domains:
Network activity domain vdfe.site C2 Domains:
Network activity domain vjro.club C2 Domains:
Network activity domain vkpo.us C2 Domains:
Network activity domain vpua.pw C2 Domains:
Network activity domain vwcq.us C2 Domains:
Network activity domain vqba.info C2 Domains:
Network activity domain vxqt.us C2 Domains:
Network activity domain vxwy.pw C2 Domains:
Network activity domain wfsv.us C2 Domains:
Network activity domain wvzu.pw C2 Domains:
Network activity domain wqiy.info C2 Domains:
Network activity domain xhqd.pw C2 Domains:
Network activity domain yamd.pw C2 Domains:
Network activity domain yqox.pw C2 Domains:
Network activity domain yedq.pw C2 Domains:
Network activity domain ysxy.pw C2 Domains:
Network activity domain zcnt.pw C2 Domains:
Network activity domain zjav.us C2 Domains:
Network activity domain zdqp.pw C2 Domains:
Network activity domain zjvz.pw C2 Domains:
Network activity domain zmyo.club C2 Domains:
Network activity domain zody.pw C2 Domains:
Network activity domain zugh.us C2 Domains:
Network activity domain cspg.pw C2 Domains:
Payload delivery sha256 f82baa39ba44d9b356eb5d904917ad36446083f29dced8c5b34454955da89174
Payload delivery sha256 f9e54609f1f4136da71dbab8f57c2e68e84bcdc32a58cc12ad5f86334ac0eacf
Payload delivery sha256 340795d1f2c2bdab1f2382188a7b5c838e0a79d3f059d2db9eb274b0205f6981
Payload delivery sha256 7f0a314f15a6f20ca6dced545fbc9ef8c1634f9ff8eb736deab73e46ae131458
Payload delivery sha256 be5f4bfa35fc1b350d38d8ddc8e88d2dd357b84f254318b1f3b07160c3900750
Payload delivery sha256 9b955d9d7f62d405da9cf05425c9b6dd3738ce09160c8a75d396a6de229d9dd7
Payload delivery sha256 fd6e7fc11a325c498d73cf683ecbe90ddbf0e1ae1d540b811012bd6980eed882
Payload delivery sha256 6bf9d311ed16e059f9538b4c24c836cf421cf5c0c1f756fdfdeb9e1792ada8ba
Payload delivery sha1 d00225d485c597bea712e7c7baa4fba7d7f281e3 – Xchecked via VT: 340795d1f2c2bdab1f2382188a7b5c838e0a79d3f059d2db9eb274b0205f6981
Payload delivery md5 2abad0ae32dd72bac5da0af1e580a2eb – Xchecked via VT: 340795d1f2c2bdab1f2382188a7b5c838e0a79d3f059d2db9eb274b0205f6981
Recommended Posts

Start typing and press Enter to search