A compromised US government server has been used to host malware in an attack chain.
Cybersecurity specialists from Cisco Talos have unveiled a new version of the DNS Messenger attack which disguises as the US Securities and Exchange Commission (SEC) and hosts malware on compromised government servers.
Cisco Talos has revealed the results of an investigation into DNS Messenger, a fileless attack that uses DNS queries to execute malicious PowerShell commands on compromised computers.
The new version of this attack, which, according to the team, is "highly targeted by nature" and now attempts to compromise victims' systems by pretending to be an update to the SEC EDGAR system, which was recently the focus of a data breach related to financial fraud in specially crafted phishing email campaigns.
These spoofed emails seem legitimate, but if the victim opens them and downloads the malicious attachment, a "multi-stage infection process" begins.
The malicious attachments used in this campaign are Microsoft Word documents. Instead of using macros or OLE objects, hackers use a less common method of infection, Dynamic Data Exchange (DDE), to perform code execution and install a remote access Trojan (RAT).
According to Microsoft, DDE is not a problem that can be exploited by hackers, but rather a feature "by design" and the company refuses to fix it.
Cisco Talos disagrees and claims that has witnessed DDE "actively being used by attackers in the wild, as demonstrated in this attack."
The cybersecurity team says the latest malware campaign is similar to the previous one. The infection process uses DNS TXT records to create a bidirectional C&C channel to allow hackers to interact with the Windows Command Processor using the contents of DNS TXT record queries and responses generated from the threat hacker's DNS server.
When opened, the user is required to permit the external links to be retrieved. If he agrees, the malicious document connects to the hacker's C&C server which executes the first malware infection.
This malware was initially hosted on a Louisiana state government website, "seemingly compromised and used for this purpose," according to Cisco Talos.
Hackers use PowerShell commands, then the code is extracted, disguised, and then executed, which gives it persistence on systems, registry rewrites, scheduled task creation, and DNS requests are made.
"In this particular case, the malware featured the capability to leverage WMI, ADS, scheduled tasks, as well as registry keys to obtain persistence. The use of DNS as a conveyance for later stage code and C2 communications is also becoming more and more commonplace," said Cisco Talos.