Delaware, USA – October 13, 2017 – Researchers from Cisco Talos reported a targeted attack on a number of organizations in the US, in which adversaries used fileless Remote Access Tool DNSMessenger. This campaign is notable for the leveraging of a compromised government server, and the method of distribution. Malicious emails were disguised as messages from the Security and Exchange Commission, and attackers used the Dynamic Data Exchange (DDE) function in the attached MS Word document for downloading and installing DNSMessenger Trojan. Exploiting of DDE protocol was recently described by researchers from Senspost.
After opening the malicious document requested the user permission to update the content of the document from the linked files. If the user in attacked organization allowed this, MS Word file connected to the compromised server and ran Powershell scripts for further infecting and achieving persistence on the system.
DNSMessenger leverages DNS protocol to communicate with the command and control server. This RAT is entirely fileless, and it is challenging to detect its malicious presence. Solutions for DNS monitoring are used extremely rarely, while a frequency of DNS exploiting by cybercriminals is increasing. Security officers have to investigate any suspicious DNS activity, as this may indicate a sophisticated attack on organizations. If your organization leverages ArcSight, QRadar, or Splunk, you can use DNS Security Check from Use Case Cloud to detect the threats associated with this protocol. This SIEM use case provides automatic alerts about any possible cyberattack that abuse DNS protocol at various stages of Cyber Kill Chain.