A recently discovered DNSMessenger campaign is abusing compromised U.S. state government servers to host malware, Cisco Talos security researchers say.
First uncovered in early March, the DNSMessenger attack involved the use of DNS requests to establish communication between a PowerShell RAT and its command and control (C&C) servers. Completely fileless and invisible to most standard defenses, the attack was highly targeted and researchers attributed it to a sophisticated threat actor.
Cisco now says that additional attacks leveraging this type of malware were discovered, targeting several organizations in an attempt to infect them with malware. Specific to this campaign is the use of DNS TXT records to create a bidirectional C&C channel and directly interact with the Windows Command Processor.
The attackers use spear phishing emails to spread the malware and leverage U.S. state government servers to host the malicious code necessary in the later stages of the infection chain. The emails, Cisco reveals, are spoofed to seem as if they were sent from the Securities and Exchange Commission (SEC) Electronic Data Gathering, Analysis, and Retrieval (EDGAR) system.
In March this year, attacks targeting U.S. organizations and focused on personnel that handle filings to the SEC were attributed to the hacking group known as FIN7. The incidents were later tied to a framework used in the DNSMessenger campaign as well, as all attacks were supposedly orchestrated by a single threat group.
“The organizations targeted in this latest malware campaign were similar to those targeted during previous DNSMessenger campaigns. These attacks were highly targeted in nature, the use of obfuscation as well as the presence of a complex multi-stage infection process indicates that this is a sophisticated and highly motivated threat actor that is continuing to operate,” Cisco Talos reports.
The spear phishing emails used in the new attack contained attached Microsoft Word documents (also made to appear as if originating from SEC) that would leverage Dynamic Data Exchange (DDE) to perform code execution. When opened, the documents would prompt the user to allow the retrieval of content from included external links.
The DDEAUTO field used by the malicious document retrieved code initially hosted on a compromised Louisiana state government website. The downloaded code is executed using PowerShell and is responsible for achieving persistence and starting the next stage of the infection chain.
Heavily obfuscated, the next stage of infection establishes communication with the C&C and receives code via DNS. When this step is completed, the result string is decoded and decompressed and then passed to the Powershell IEX cmdlet to execute the code retrieved.
Cisco’s researchers weren’t able to obtain the next stage of PowerShell code from the C&C server and believe that this could be so because of the highly targeted nature of the attack. The actors behind the operation might be restricting communications to evade analysis.
Other researchers, however, were able to retrieve the code and reveal that it contains the usual set of information gathering capabilities. The stage 4 code, which includes a different structure of DNS records being used for commands, apparently exfiltrates data via a hardcoded web form.
This attack, Cisco concludes, shows the level of sophistication associated with threats facing organizations today: it includes multiple layers of obfuscation, it limits compromise to only the organizations of interest, and uses new techniques to execute malicious code on systems (leverages WMI, ADS, scheduled tasks, and registry keys to obtain persistence).
Related: SEC Says It Was Hacked in 2016